Experts warn of a spike in APT35 activity and a possible link to Memento ransomware op

Pierluigi Paganini February 02, 2022

The Cybereason Nocturnus Team reported a spike in the activity of the Iran-linked APT group APT35 (aka Phosphorus or Charming Kitten).

The Cybereason Nocturnus Team observed a spike in the activity of the Iran-linked APT group APT35 (aka ‘Charming Kitten‘, ‘Phosphorus‘, Newscaster, and Ajax Security Team) 

The Phosphorus group made the headlines in 2014 when experts at iSight issued a report describing the most elaborate net-based spying campaign organized by Iranian hackers using social media.

Microsoft has been tracking the threat actors at least since 2013, but experts believe that the cyberespionage group has been active since at least 2011. 

The APT group previously targeted medical research organizations in the US and Israel in late 2020, and for targeting academics from the US, France, and the Middle East region in 2019.

They have also previously targeted human rights activists, the media sector, and interfered with the US presidential elections.

The APT35 group is now deploying a new PowerShell backdoor called PowerLess Backdoor using a stealthy technique to avoid detection. The group is running the PowerShell Backdoor in a .NET context rather than spawning the PowerShell process.

Below is the capabilities supported by the PowerLess backdoor:

  • Downloading and executing additional malware and files
  • Encrypted channel with the C2
  • Executing arbitrary commands
  • Killing processes
  • Stealing browser data
  • Keylogging

Experts noticed a lot of typos and grammatical mistakes in the code of the backdoor, a circumstance that suggests that the native language of the backdoor’s authors is likely not English. 

“It is worth mentioning that the backdoor is being run within a .NET context, so therefore it does not spawn “powershell.exe”.” reads the analysis published by the researchers. “This behavior can be interpreted as an attempt to evade certain PowerShell detections, although PowerShell logs are being saved on the machine” “Oddly enough, there is a part of the code in the PowerLess Backdoor, that do spawn a powershell.exe process, when the request to kill a process is received from the C2”

The toolset analyzed by Cybereason includes modular, multi-staged malware used to deploy additional payloads. The attackers also used previously undetected malware, including info stealers and keyloggers.

In Mid-January, the Iran-linked APT35 group has been observed leveraging the Log4Shell flaw to drop a new PowerShell backdoor tracked as CharmPower.

Cybereason also found evidence that links the APT group to the Memento Ransomware operations that first appeared in the threat landscape in 2021.

The gang was observed exploiting the CVE-2021-21972 vulnerability in VMware vCenter Server for the initial access to target networks.

In October, Sophos researchers have spotted the Memento ransomware that adopts a curious approach to block access to victims’ files. The ransomware copies files into password-protected WinRAR archives, it uses a renamed freeware version of the legitimate file utility WinRAR. The Memento ransomware then encrypts the password and deletes the original files from the victim’s system.

Experts found multiple similarities between TTPs used by Phosphorus and the Memento ransomware operation and attack infrastructure.

“Another IP that appears in US CERT’s list is 91.214.124[.]143. Searching it in VirusTotal reveals other malicious files communicating with it, as well as unique URL directory patterns that reveal a potential connection to Memento Ransomware.” concludes the report. “The activity of Phosphorus with regard to ProxyShell took place in about the same time frame as Memento. Iranian threat actors were also reported to be turning to ransomware during that period, which strengthens the hypothesis that Memento is operated by an Iranian threat actor.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, APT35)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment