Charming Kitten Sharpens Its Claws with PowerShell Backdoor

The notorious Iranian APT is fortifying its arsenal with new malicious tools and evasion tactics and may even be behind the Memento ransomware.

The Iranian advanced persistent threat (APT) Charming Kitten is sharpening its claws with a new set of tools, including a novel PowerShell backdoor and related stealth tactics, that show the group evolving yet again. The new tools may signal that it’s getting ready to pounce on new victims, researchers believe.

Researchers at cybersecurity firm Cybereason discovered the tools, which include a backdoor they dubbed “PowerLess Backdoor,” as well as an evasive maneuver to run the backdoor in a .NET context rather than as one that triggers a PowerShell process, the Cybereason Nocturnus Team wrote in a report published Tuesday.

“The Cybereason Nocturnus Team was able to identify a new toolset that includes a novel backdoor, malware loaders, a browser info stealer, and a keylogger,” Cybereason Senior Malware Researcher Daniel Frank wrote in the report.

Infosec Insiders Newsletter

The team also identified links between Charming Kitten and the Memento ransomware that emerged late last year and until now has been unattributed, signaling that the APT may be moving beyond its typical cyberespionage tactics and into new cybercriminal territory, researchers said.

Charming Kitten is a prolific APT believed to be backed by the Iranian government and known by a number of other names – including TA453, APT35, Ajax Security Team, NewsBeef, Newscaster and Phosphorus.

The group – which first rose to prominence in 2018 – was extremely active throughout 2020 and 2021 and is best known for targeted cyber-espionage attacks against politicians, journalists, human-rights activists, researchers, scholars and think tanks.

Some of the APT’s more high-profile attacks occurred in 2020, when the group targeted the Trump and Biden presidential campaigns as well as attendees of two global geo-political summits, the Munich Security Conference and the Think 20 (T20) Summit, in separate and various incidents.

New Quiver of Malware

The Cybereason Nocturnus team uncovered a raft of new Charming Kitten activity when they investigated threat-intelligence efforts that “included pivoting on an IP address (162.55.136[.]20) that was already attributed to Iranian threat actors by multiple sources, including US CERT,” Frank explained.

The team took a deeper dive into different files that were downloaded from the IP address and discovered a treasure trove of novel tools as well as links to Memento ransomware, he said.

Charming Kitten is now using what researchers have dubbed PowerLess Backdoor, a previously undocumented PowerShell trojan that supports downloading additional payloads, such as a keylogger and an info stealer.

The team also discovered a unique new PowerShell execution process related to the backdoor aimed at slipping past security-detection products, Frank wrote.

The PowerShell code runs in the context of a .NET application, thus not launching ‘powershell.exe’ which enables it to evade security products,” he wrote.

Overall, the new tools show Charming Kitten developing more “modular, multi-staged malware” with payload-delivery aimed at “both stealth and efficacy,” Frank noted. The group also is leaning heavily on open-source tools such as cryptography libraries, weaponizing them for payloads and communication encryption, he said.

This reliance on open-source tools demonstrates that the APT’s developers likely lack “specialization in any specific coding language” and possess “intermediate coding skills,” Frank observed.

The Memento Connection

Cybereason Nocturnus also found that another IP that US CERT has linked to Charming Kitten,91.214.124[.]143, has been communicating with malicious files and has “unique URL directory patterns that reveal a potential connection to Memento ransomware,” Frank wrote.

“The string ‘gsdhdDdfgA5sS’ appears to be generated by the same script as the one listed in the Memento ransomware IOCs – “gadfTs55sghsSSS” – he explained, citing specific directory activity that researchers observed. “The domain ‘google.onedriver-srv[.]ml’ was previously resolved to the IP address 91.214.124[.]143 mentioned in the US CERT alert about Iran state-sponsored actors activity.”

Analyzing this directory activity points to the IP potentially serving as a domain being used as command and control (C2) for Memento, researchers found.

Indeed, this connection makes sense when noting that Charming Kitten’s activity last year to exploit the ProxyShell vulnerabilityan RCE flaw in Microsoft Exchange servers that suffered a barrage of attacks – “took place in about the same time frame as Memento,” Frank observed.

“Iranian threat actors were also reported to be turning to ransomware during that period, which strengthens the hypothesis that Memento is operated by an Iranian threat actor,” he wrote.

Organizations on Alert

Charming Kitten’s continuous evolution of its capabilities has been well-documented, so its new tools and potential to branch out in terms of the type of attacks it can deliver should come as little surprise.

Indeed, threat groups in general are just like any legitimate businesses in that they must bob and weave constantly to meet business objectives, especially when old tactics don’t serve them anymore or authorities are on to them, noted one security professional.

“Cybercriminals, like any business, work to evolve their software to improve, evolve and scale to bring about the best results needed to be successful,” observed James McQuiggan, security awareness advocate at KnowBe4, in an email to Threatpost.

In the same way, organizations need to constantly be on their toes and create “a strong security culture” so they aren’t caught unawares by novel tactics used by APTs like Charming Kitten and other highly organized threat groups, he said.

Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.

Suggested articles