Previous attacks from the Iranian Phosphorus APT (aka Charming Kitten, APT35) are well documented. Recently a new set of tools incorporated into the group's arsenal, and a connection with the Memento ransomware, have been discovered. Researchers from have detected a new and undocumented PowerShell backdoor that supports downloading malware such as a keylogger and an infostealer. The code runs in the context of a .NET app without launching powershell.exe and thus avoiding detection.
The new toolset includes modular and multi-staged malware, and the group also makes use of a range of open-source tools including cryptography libraries. The infrastructure was still active at the time of the report, and one of the IP addresses is used as a C2 for the Memento ransomware. The toolset was discovered after the researchers detected and examined a file downloaded from a known Phosphorus IP: WindowsProcesses.exe a loader whose sole purpose is to resolve DLLs and load another file named dll.dll.
This is a .NET AES decryptor that decodes a file named upc to execute the PowerShell code. Before this, however, the victim is assigned a unique identifier. This is sent to the C2, and an additional configuration is downloaded. The PowerShell backdoor, named PowerLess, can download a browser infostealer and a keylogger, can encrypt and decrypt data, can execute arbitrary commands, and can kill processes. Since PowerLess is run within a .NET context, powershell.exe is not spawned. This is probably an intent to avoid PowerShell detections even though PowerShell logs are still saved. A PowerShell process is spawned if the C2 sends an instruction to kill a process.
Typos and grammatical errors within the backdoor code suggest that the authors are not native English speakers. Invertigators using VirusTotal to search for potentially related files, the researchers discovered other unidentified tools. Among them, Chromium F appears to be an earlier variant of the PowerLess infostealer. Sou.exe is another .NET file that is an audio recorder using the NAudio open-source library.
One of the more recent tools appears to be an unfinished ransomware development also written in .NET. So far it does no more than lock the target’s screen, with fields such as the ransom amount and the attacker’s email not yet set. The researchers note that the sample was uploaded from Iran, and postulate that it may be indicative of Phosphorus taking more interest in ransomware.
This may be illustrated by the researchers’ belief that the new Memento ransomware, discovered by Sophos in November 2021 but simply attributed to the ‘Memento Team’, is also attributable to the Iranian Phosphorus group. Using VirusTotal to research a known IP “reveals,” say the researchers, “other malicious files communicating with it, as well as unique URL directory patterns that reveal a potential connection to Memento Ransomware.”
The known Phosphorus activity using ProxyShell occurred in the same timeframe as the use of Memento, and at a time when Iranian threat actors were reported to be turning to ransomware. It is worth noting that the Iran/ransomware connection goes back at least as far as SamSam and the Atlanta incident.
The researchers believe that the extensive use of open-source tools within the Phosphorus tools and techniques may demonstrate only intermediate coding skills within the group. This is potentially one of the reasons why it is unable to attribute the development of the tools used by Phosphorus to Phosphorus itself.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
Reporting: https://www.redskyalliance.org/
Website: https://www.wapacklabs.com/
LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/3702558539639477516
https://www.securityweek.com/iranian-hackers-using-new-powershell-backdoor-linked-memento-ransomware
Comments