Researchers at Cybereason tracking APT35, the threat group known as Phosphorous or Charming Kitten out of Iran, have observed the use of a new novel backdoor known as Powerless Backdoor. Powerless Backdoor utilizes a technique to invoke PowerShell in a.NET context rather than spawning the PowerShell process in an attempt to evade standard alerts for malicious PowerShell usage.
APT35 has targeted US and Israeli medical research organizations, as well as academic researchers from the US, France, and the Middle East. They are also tied to election interference and targeting human rights activists worldwide. Recently, Cybereason has documented strong connections between APT35 and Memento Ransomware that first emerged in late 2021.
The trick used by Powerless Backdoor is simple. By using .NET to invoke PowerShell it does not spawn powershell.exe. Products relying on this behavior in their detections may be evaded, thus making activity difficult to detect. However, Powerless Backdoor has been observed spawning powershell.exe when the Command and Control (C2) issues a kill command, which is a technique that could be used for alerting. Behavioral detections developed by proactive threat hunting, along with Security Operations Center alerting, will help mitigate the threat.