A new Iranian-aligned threat actor has been using new tactics and tools, including an updated version of PowerLess backdoor, in attacks targeting entities in Israel, Check Point Research says.
Israeli cybersecurity company has linked the activity cluster it dubbed Educated Manticore to a well-known Iranian state-backed hacker group Phosphorus (aka APT35, Charming Kitten, Cobalt Illusion, ITG18, Mint Sandstorm, TA453, and Yellow Garuda). Past reports attributed the PowerLess implant to the Phosphorus threat actor.
“While the new PowerLess payload remains similar, its loading mechanisms have significantly improved, adopting techniques rarely seen in the wild, such as using .NET binary files created in mixed mode with assembly code. The newly discovered version is likely intended for phishing attacks focused around Iraq, using an ISO file to initiate the infection chain. Other documents inside the ISO file were in Hebrew and Arabic languages, suggesting the lures were aimed at Israeli targets,” according to Check Point.
The deployment of the backdoor is a multi-stage process, which involves lure (Iraq development resources.iso as well as the documents within it), initial loader, downloader, PowerLess loader, and PowerLess PowerShell payload.
The new version supports a much wider set of commands, including the ability to display the lists of installed programs, processes, and files, steal user data from the Telegram desktop app, and take screenshots. It also can download extra modules, including a keylogger, browser information stealer, and a surroundings sound recorder.
“The variant described in this report was delivered using ISO files, indicating it is likely meant to be the initial infection vector. Because it is an updated version of previously reported malware, PowerLess, associated with some of Phosphorus’ Ransomware operations, it is important to note that it might only represent the early stages of infection, with significant fractions of post-infection activity yet to be seen in the wild,” the researchers note.