Iran-based Charming Kitten APT has been observed using a new backdoor named PowerLess, along with several other tools. This is a PowerShell-based implant that comes with evasive PowerShell execution.
New additions to the arsenal
The PowerLess backdoor can download and execute additional modules such as keylogger and infostealer.
The backdoor uses the PowerShell code that runs in the context of a DotNET app. Due to this, it does not launch powershell[.]exe, which allows bypass of security solutions.
Along with the backdoor, the attacker's toolset comes with extremely modular, multi-staged malware that decrypts and deploys additional payloads in various stages for stealth and intended results.
For example, the developer behind the PowerLess backdoor was linked with other tools such as an audio recorder, a variant of the information stealer, and an incomplete ransomware variant coded in DotNET.
New relations have emerged
Charming Kitten and the new ransomware known as Memento were also found to have infrastructural overlaps, claimed experts. Memento was first spotted in November 2021. Moreover, the activity of Charming Kitten with ProxyShell happened about the same time as Memento. All these facts support the hypothesis that Memento is managed by an Iranian threat actor.
The recent attacks by Charming Kitten show its growing capability and resources to develop new tools such as PowerLess. Thus, to stay protected, organizations are recommended to share intelligence and deploy a network firewall and anti-malware solution.