APT

Iran-linked Charming Kitten APT enhanced its POWERSTAR Backdoor

Iran-linked Charming Kitten group used an updated version of the PowerShell backdoor called POWERSTAR in a spear-phishing campaign.

Security firm Volexity observed the Iran-linked Charming Kitten (aka APT35PhosphorusNewscaster, and Ajax Security Team) group using an updated version of the PowerShell backdoor POWERSTAR in a spear-phishing campaign.

Iran-linked Charming Kitten group, (aka APT35PhosphorusNewscaster, and Ajax Security Team) made the headlines in 2014 when experts at iSight issued a report describing the most elaborate net-based spying campaign organized by Iranian hackers using social media.

Microsoft has been tracking the threat actors at least since 2013, but experts believe that the cyberespionage group has been active since at least 2011 targeting journalists and activists in the Middle East, as well as organizations in the United States, and entities in the U.K., Israel, Iraq, and Saudi Arabia

“However, in a recently detected spear-phishing campaign, Volexity discovered that Charming Kitten was attempting to distribute an updated version of one of their backdoors, which Volexity calls POWERSTAR (also known as CharmPower).” reads the report published by Volexity.

“This new version of POWERSTAR was analyzed by the Volexity team and led the to the discovery that Charming Kitten has been evolving their malware alongside their spear-phishing techniques”

The threat actors enhanced anti-analysis measures of their POWERSTAR malware.

The POWERSTAR implant was first analyzed by Check Point researchers in early January 2022 while investigating attacks exploiting the Log4Shell vulnerabilities.

Volexity first spotted the POWERSTAR backdoor in 2021, the experts observed the Iranian APT distributing the malicious code in a surprising number of different ways.

The version observed in 2021 was rudimentary, the threat actors distributed it using a malicious macro embedded in DOCM file.

In Many, Volexity observed Charming Kitten attempting to distribute POWERSTAR via spear-phishing messages with an LNK file inside a password-protected RAR file. Upon executing the LNK files, the POWERSTAR backdoor is downloaded from Backblaze and attacker-controlled infrastructure.

The researchers pointed out that in recent months, Charming Kitten replaced their previously preferred cloud-hosting providers (OneDrive, AWS S3, Dropbox) with privately hosted infrastructure, Backblaze and IPFS.

The target of the attack was an organization that had published an article related to Iran.

The threat actors initially contacted the victims, asking them if they would be open to reviewing a document they had written related to US foreign policy.

Once the victim accepted to review the document, Charming Kitten continued the interaction with another benign email containing a list of questions, to which the target then responded with answers. After multiple legitimate interactions, Charming Kitten finally sent a “draft report” to the victims. The “draft report” a password-protected RAR file containing a malicious LNK file. The attackers sent the password for the RAR archive in a separate email.

In order to make the backdoor hard to analyze, the decryption method is delivered separately from the initial code and avoids writing it on the disk.

“This has the added bonus of acting as an operational guardrail, as decoupling the decryption method from its command-and-control (C2) server prevents future successful decryption of the corresponding POWERSTAR payload.” continues the report.

The backdoor can remotely execute PowerShell and CSharp commands and code blocks. The malware achieves persistence via Startup tasks, Registry Run keys, and Batch/PowerShell scripts.

The malware used multiple C2 channels, including cloud file hosts, attacker-controlled servers, and IPFS-hosted files. The backdoor gathers system information, can take screenshots and enumerates running processes.

The Charming Kitten APT group expanded the cleanup module, which is used to erase all traces of the infection.

“Since Volexity first observed POWERSTAR in 2021, Charming Kitten has reworked the malware to make detection more difficult. The most significant change is the downloading of the decryption function from remotely hosted files. As previously discussed, this technique hinders detection of the malware outside of memory, and it gives the attacker an effective kill switch to prevent future analysis of the malware’s key functionality.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, IRAN)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

US and allied Governments’ Recommendations: Securing Network Devices Against Russian APT Groups

US and allies warn of Russian APT groups targeting routers and network devices to compromise…

4 hours ago

Chaotic Eclipse Unveils LegacyHive Exploit Affecting Fully Patched Windows Systems

LegacyHive PoC exposes a Windows Privilege Escalation flaw affecting fully patched Windows desktop and server…

6 hours ago

AsyncAPI npm Supply Chain Attack: Malware Injected Into Packages With 2 Million Weekly Downloads

AsyncAPI npm packages with 2M weekly downloads were compromised, spreading malware with info-stealing, crypto-theft and…

11 hours ago

U.S. CISA adds SonicWall and Microsoft flaws to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds SonicWall and Microsoft flaws to its Known…

12 hours ago

SonicWall warns of active exploitation of two SMA 1000 zero-days

SonicWall warns of active attacks exploiting two SMA 1000 zero-days, including a flaw enabling arbitrary…

15 hours ago

Patch Tuesday security updates for July 2026, the largest update ever. 621 CVEs in one month

Patch Tuesday: Microsoft fixes a record 621 CVEs, including 2 exploited zero-days and critical flaws…

1 day ago

This website uses cookies.