An Iranian nation-state threat actor has been linked to a new wave of phishing attacks targeting Israel that is designed to deploy an updated version of a backdoor called without power.
Cybersecurity firm Check Point is tracking the cluster of activity under its mythical creature handle Educated manticoreshowing “strong engagements” with a hacking crew known as APT35, Charming Kitten, Cobalt Illusion, ITG18, Mint Sandstorm (formerly Phosphorus), TA453 and Yellow Garuda.
“Like many other actors, Educated Manticore has adopted recent trends and started using ISO images and possibly other archive files to start infection chains,” the Israeli company said in a technical report published today.
Active since at least 2011, APT35 has cast a wide net of targets by exploiting social media impersonations, spear-phishing techniques, and N-day vulnerabilities in Internet-exposed applications to gain initial access and drop various payloads, including the ransomware.
The development is an indication that the adversary is continually refining and reworking its malware arsenal to expand its functionality and resist analysis efforts, while adopting improved methods to avoid detection.
The attack chain documented by Check Point begins with an ISO disk image file that uses Iraq-themed decoys to drop a custom unloader into memory that ultimately launches the PowerLess implant.
The ISO file acts as a conduit to display an enticing document written in Arabic, English and Hebrew, purporting to include academic content on Iraq from a legitimate non-profit entity called the Arab Science and Technology Foundation (ASTF ), which indicates that the research community could have been the target of the campaign.
The PowerLess backdoor, which Cybereason previously highlighted in February 2022, includes capabilities to steal data from web browsers and apps like Telegram, take screenshots, record audio, and log keystrokes.
“While the new PowerLess payload remains similar, its loading mechanisms have improved significantly, adopting techniques rarely seen in the wild, such as using .NET binaries built in mixed mode with assembly,” Check Point said.
“Less power [command-and-control] communication with the server is Base64 encoded and encrypted after obtaining a key from the server. To fool researchers, the threat actor actively adds three random letters to the beginning of the encoded blob.”
Zero Trust + Deception – Learn to Outsmart Attackers!
Learn how Deception can detect advanced threats, stop lateral movement, and improve your Zero Trust strategy. Join our in-depth webinar!
Save my seat!
The cybersecurity firm said it also discovered two other archive files used as part of a different intrusion set that share overlaps with the aforementioned attack sequence due to the use of the same PDF file from Iraqi theme.
Further analysis has revealed that the infection chains derived from these two archive files culminate in the execution of a PowerShell script designed to download two files from a remote server and execute them.
“Educated Manticore continues to evolve, refining previously observed toolsets and providing mechanisms,” Check Point said, adding that “the actor adopts popular trends to avoid detection” and continues to “develop custom toolsets using techniques advanced”.
“As it is an updated version of the previously reported malware, […] It is important to note that this could represent only the early stages of infection, with significant fractions of post-infection activity yet to be seen in the wild.”
Iranian hackers have launched sophisticated cyber-attacks against Israel using a new type of backdoor known as “PowerLess”. In a recent attack, the hackers gained access to an Israeli government database and stole a small amount of data. The attack follows a series of similar operations carried out by the same group of hackers in recent months.
The use of the “PowerLess” backdoor is causing concern among cybersecurity professionals and businesses around the world. The malware is highly sophisticated and is believed to come from Iran. It is programmed to gain access to corporate networks, extract data, and stay hidden.
The experts at Ikaroa have studied this cyber-attack and have determined that the hackers have targeted vulnerable Israeli systems. They have also identified signatures that can alert companies to similar threats and take preemptive action.
Ikaroa specializes in defending businesses from sophisticated hacking attempts. We provide our customers with regular security updates and 24/7 monitoring service. We are proud of our success in protecting businesses against cyber-attacks and will continue to provide our customers with the highest level of security.