February 08, 2022

Phosphorus/APT32 New PowerLess Trojan

Industry: N/A | Level: Tactical | Source: Cybereason

Iranian group, Phosphorus/APT35/Charming Kitten, has been identified by Research from Cybereason, utilizing new PowerShell tool “PowerLess Backdoor,” while also exploiting log4shell vulnerabilities. The new malware comes with capabilities to download additional payloads for information stealing, however it’s unique with a new stealth technique as detailed from the report, “to avoid PowerShell detection by running the PowerShell Backdoor in a .NET context rather than spawning the PowerShell process.” The evasion tactic doesn’t prevent PowerShell events from being logged. The only instance in which a PowerShell process is spawned is when a process needs to be killed. Based on reviewed IOCs from Cybereason, the infrastructure utilized for the attack is highly active with an observed IP address having overlap with Memento Ransomware linking a potential connection between the threat actor group and ransomware.

  • Anvilogic Use Cases:
    • Executable Process from Suspicious Folder
    • Suspicious Powershell
    • Potential CVE-2021-44228 – Log4Shell