Security Experts:

Iranian Hackers Using New PowerShell Backdoor Linked to Memento Ransomware

Attacks from the Iranian Phosphorus APT (aka Charming Kitten, APT35) are well documented. Now a new set of tools incorporated into the group's arsenal, and a connection with the Memento ransomware, have been discovered.

Researchers from Cybereason’s Nocturnus Team have detected a new and undocumented PowerShell backdoor that supports downloading malware such as a keylogger and an infostealer. The code runs in the context of a .NET app without launching powershell.exe and thus avoiding detection, note the researchers in a report.

The new toolset includes modular and multi-staged malware, and the group also makes use of a range of open-source tools including cryptography libraries. The infrastructure was still active at the time of the Cybereason report, and one of the IP addresses is used as a C2 for the Memento ransomware.

The toolset was discovered after the researchers detected and examined a file downloaded from a known Phosphorus IP: WindowsProcesses.exe – a loader whose sole purpose is to resolve DLLs and load another file named dll.dll.

This is a .NET AES decryptor that decodes a file named upc to execute the PowerShell code. Before this, however, the victim is assigned a unique identifier. This is sent to the C2, and an additional configuration is downloaded.

The PowerShell backdoor, named by Cybereason as PowerLess, can download a browser infostealer and a keylogger, can encrypt and decrypt data, can execute arbitrary commands, and can kill processes.

Since PowerLess is run within a .NET context, powershell.exe is not spawned. This is probably an intent to avoid PowerShell detections even though PowerShell logs are still saved. A PowerShell process is spawned if the C2 sends an instruction to kill a process.

Typos and grammatical errors within the backdoor code suggest that the authors are not native English speakers. Although found via a Phosphorus IP, Cybereason cannot definitively say that Phosphorus was the developer of this and other tools suspected to have come from the same developer.

However, using VirusTotal to search for potentially related files, the researchers discovered other unidentified tools. Among them, Chromium F appears to be an earlier variant of the PowerLess infostealer. Sou.exe is another .NET file that is an audio recorder using the NAudio open-source library.

One of the more recent tools appears to be an unfinished ransomware development also written in .NET. So far it does no more than lock the target’s screen, with fields such as the ransom amount and the attacker’s email not yet set. The researchers note that the sample was uploaded from Iran, and postulate that it may be indicative of Phosphorus taking more interest in ransomware.

This may be illustrated by the researchers’ belief that the new Memento ransomware, discovered by Sophos in November 2021 but simply attributed to the ‘Memento Team’, is also attributable to the Iranian Phosphorus group. Using VirusTotal to research a known IP “reveals,” say the researchers, “other malicious files communicating with it, as well as unique URL directory patterns that reveal a potential connection to Memento Ransomware.”

Furthermore, the known Phosphorus activity using ProxyShell occurred in the same timeframe as the use of Memento, and at a time when Iranian threat actors were reported to be turning to ransomware. It is worth noting that the Iran/ransomware connection goes back at least as far as SamSam and the Atlanta incident.

Cybereason believes that the extensive use of open-source tools within the Phosphorus tools and techniques may demonstrate only intermediate coding skills within the group. This is potentially one of the reasons why it is unable to attribute the development of the tools used by Phosphorus to Phosphorus itself.

Related: Iran-Linked Hackers Expand Arsenal With New Android Backdoor

Related: Iranian Hackers Target Medical Personnel in US, Israel

Related: Microsoft Says Iranian Hackers Targeted Attendees of Global Policy Conferences

Related: Iran-Linked Malware Shared by USCYBERCOM

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.