Increasing APT35 Activity Utilizing Novel Powerless Backdoor

Threat Watch

Threat Watch Increasing APT35 Activity Utilizing Novel Powerless Backdoor

Increasing APT35 Activity Utilizing Novel Powerless Backdoor

Researchers at Cybereason tracking APT35, the threat group known as Phosphorous or Charming Kitten out of Iran, have observed the use of a new novel backdoor known as Powerless Backdoor. Powerless Backdoor utilizes a technique to invoke PowerShell in a.NET context rather than spawning the PowerShell process in an attempt to evade standard alerts for malicious PowerShell usage.

APT35 has targeted US and Israeli medical research organizations, as well as academic researchers from the US, France, and the Middle East. They are also tied to election interference and targeting human rights activists worldwide. Recently, Cybereason has documented strong connections between APT35 and Memento Ransomware that first emerged in late 2021.

ANALYST NOTES

The trick used by Powerless Backdoor is simple. By using .NET to invoke PowerShell it does not spawn powershell.exe. Products relying on this behavior in their detections may be evaded, thus making activity difficult to detect. However, Powerless Backdoor has been observed spawning powershell.exe when the Command and Control (C2) issues a kill command, which is a technique that could be used for alerting. Behavioral detections developed by proactive threat hunting, along with Security Operations Center alerting, will help mitigate the threat.

https://www.cybereason.com/blog/powerless-trojan-iranian-apt-phosphorus-adds-new-powershell-backdoor-for-espionage

Using Microsoft Sentinel to Detect Confluence CVE-2022-26134 Exploitation

Russia may be Pressing Arrested Cyber Criminals into Service

Get To Know Bob Meindl, Our New CEO!

How Ransomware Capabilities Are Evolving and What You Can Do to Keep Your Organization Secure

Threat Watch