An Iranian state-sponsored threat actor, Educated Manticore, has been observed deploying an updated version of the Windows PowerLess backdoor to target Israel for phishing attacks, according to a new Check Point report.
Researchers have also linked the Educated Maticore hackers to APT Phosphorus, which operates in the Middle East and North America.
“The investigation presents a new and improved infection chain leading to the deployment of a new version of PowerLess. This implant was attributed to Phosphorus in the past,” Check Point said in its investigation.
Phosphorus has been active since at least 2017. It has been attributed to a number of campaigns in recent years, particularly those in which the APT posed as journalists and scholars to trick targets into installing malware and they steal classified information.
While the PowerLess payload was similar to the one deployed by Phosphorus, the researchers said the toolkits used as payload methods have been improved.
Educated Manticore uses .Net executables
The educated Manticore in its latest attacks was seen using .Net executables, a rarely used technique.
“Actor has significantly improved its toolset, using rarely seen techniques, most notably using .Net executables built as a mixed-mode assembly: a mix of .Net and native C++ code. It improves the functionality of the tools and makes the analysis of the tools more difficult,” Check Point said in its report.
The hacking group has also started using ISO images. The ISO images used by the threat actor are in English, Arabic and Hebrew with academic content about Iraq. The researchers said this suggests that “the targets may have been academic researchers”.
The attack chain use Iraq themed decoys
The attack chain starts with an ISO image file that makes use of Iraq-themed decoys to load a custom downloader into memory.
The ISO file claims that the academic information comes from a non-profit organization called the Arab Science and Technology Foundation. The final function of the downloader is to install the PowerLess payload.
“PowerLess communication with the server is Base64-encoded and encrypted after obtaining a key from the server. To fool researchers, the threat actor actively adds three random letters to the beginning of the encoded drop,” Check said Point to your report.
Cybereason highlighted Phosphorus’ use of the PowerLess payload in February 2022. The PowerLess payload has the ability to steal data from web browsers and apps like Telegram, take screenshots, record audio, and log keystrokes key
Expect more activity after infection
Researchers have warned that the updated version of the malware may lead to more post-infection activity.
“As this is an updated version of the previously reported malware, PowerLess, associated with some of Phosphorus’ ransomware operations, it is important to note that it may only represent the early stages of infection, with significant fractions of the “post-infection activity has yet to be seen in the wild,” Check Point said.
Educated Manticore continues to evolve, refining previously observed toolsets and providing mechanisms, Check Point said. “The actor is seen adopting popular trends to avoid detection and continues to develop custom toolkits using advanced techniques,” Check Point said in its report.
Copyright © 2023 IDG Communications, Inc.
As reported by Israeli news sources, there has been an increase in advanced phishing attacks from an Iranian hacking group recently targeting Israel. This group, known as APT33 or Elfin, has been active since 2013 and is suspected to be state-sponsored.
In recent attacks, cyber criminals have used improved phishing techniques, such as deploying attacks via malicious emails disguised to look like legitimate requests from trusted sources. These emails contain malicious links or other types of malicious content.
The Israel Defense Forces have released a statement, claiming that these hacking attempts are “very sophisticated” and that they have even included spear-phishing attacks, aimed at high-ranking officials.
While security solutions should be in place to protect against these threats, cyber security company Ikaroa also recommends that companies pay closer attention to behavioral signposts, which can be used to identify potential malicious actors.
The best practice to protect against phishing attacks is to regularly train employees to identify malicious phishing links, teach them the basics of cybersecurity, and identify potential attackers before they can launch attacks.
Overall, it is essential to stay vigilant during these dangerous times as cyber-attacks continue to increase in sophistication. Companies, especially those in critical industries, should also take proactive measures, such as utilizing solutions from trusted partners like Ikaroa, to guard against these threats.
