Volexity has recently published an advisory discussing the evolution of POWERSTAR backdoor malware and advanced spear-phishing techniques employed by Charming Kitten, a threat actor presumed to originate from Iran. The latest iteration of POWERSTAR exhibits enhanced operational security measures, thereby increasing the difficulty of analyzing and gathering intelligence on this malware.
Diving into details
The most recent iteration of the POWERSTAR malware has become more intricate and indicates the presence of a customized server-side component that automates basic tasks for the malware operator.
- This latest version boasts several noteworthy characteristics. These include leveraging the InterPlanetary File System (IPFS) for its operations, as well as hosting its decryption function and configuration details on cloud hosting platforms accessible to the public.
- PowerStar variant introduces new capabilities, including the ability to remotely execute PowerShell and CSharp commands, establish persistence through diverse methods, dynamically update configurations, utilize multiple C2 channels, and conduct system reconnaissance and monitoring of existing persistence mechanisms.
Charming Kitten’s tactics
- In recent months, it has been observed that Charming Kitten has deviated from its previous preference for cloud-hosting providers such as OneDrive, AWS S3, and Dropbox.
- Instead, the group has started utilizing privately hosted infrastructure like Backblaze and IPFS to distribute malware.
- This shift could be attributed to the group's belief that using privately hosted infrastructure reduces the risk of its tools being exposed.
- Alternatively, Charming Kitten may perceive these alternative providers as being less inclined to take action against their accounts and infrastructure.
The bottom line
This updated malware exemplifies Charming Kitten's continuous endeavors to enhance its tactics and avoid detection. It underscores the importance of implementing robust cybersecurity measures to counter these advanced threats. To protect against this threat, it is recommended to use the provided YARA rules and block the IOCs listed by Volexity.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/0cbd_shutterstock_2245564489.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/99c4_shutterstock_2117132213.jpg)
