Attacks from the Iranian Phosphorus APT (aka Charming Kitten, APT35) are well documented. Now a new set of tools incorporated into the group’s arsenal, and a connection with the Memento ransomware, have been discovered.
Researchers from Cybereason’s Nocturnus Team have detected a new and undocumented PowerShell backdoor that supports downloading malware such as a keylogger and an infostealer. The code runs in the context of a .NET app without launching powershell.exe and thus avoiding detection, note the researchers in a report.
The new toolset includes modular and multi-staged malware, and the group also makes use of a range of open-source tools including cryptography libraries. The infrastructure was still active at the time of the Cybereason report, and one of the IP addresses is used as a C2 for the Memento ransomware.
The toolset was discovered after the researchers detected and examined a file downloaded from a known Phosphorus IP: WindowsProcesses.exe – a loader whose sole purpose is to resolve DLLs and load another file named dll.dll.
This is a .NET AES decryptor that decodes a file named upc to execute the PowerShell code. Before this, however, the victim is assigned a unique identifier. This is sent to the C2, and an additional configuration is downloaded.
The PowerShell backdoor, named by Cybereason as PowerLess, can download a browser infostealer and a keylogger, can encrypt and decrypt data, can execute arbitrary commands, and can kill processes.
Since PowerLess is run within a .NET context, powershell.exe is not spawned. This is probably an intent to avoid PowerShell detections even though PowerShell logs are still saved. A PowerShell process is spawned if the C2 sends an instruction to kill a process.
Typos and grammatical errors within the backdoor code suggest that the authors are not native English speakers. Although found via a Phosphorus IP, Cybereason cannot definitively say that Phosphorus was the developer of this and other tools suspected to have come from the same developer.
However, using VirusTotal to search for potentially related files, the researchers discovered other unidentified tools. Among them, Chromium F appears to be an earlier variant of the PowerLess infostealer. Sou.exe is another .NET file that is an audio recorder using the NAudio open-source library.
One of the more recent tools appears to be an unfinished ransomware development also written in .NET. So far it does no more than lock the target’s screen, with fields such as the ransom amount and the attacker’s email not yet set. The researchers note that the sample was uploaded from Iran, and postulate that it may be indicative of Phosphorus taking more interest in ransomware.
This may be illustrated by the researchers’ belief that the new Memento ransomware, discovered by Sophos in November 2021 but simply attributed to the ‘Memento Team’, is also attributable to the Iranian Phosphorus group. Using VirusTotal to research a known IP “reveals,” say the researchers, “other malicious files communicating with it, as well as unique URL directory patterns that reveal a potential connection to Memento Ransomware.”
Furthermore, the known Phosphorus activity using ProxyShell occurred in the same timeframe as the use of Memento, and at a time when Iranian threat actors were reported to be turning to ransomware. It is worth noting that the Iran/ransomware connection goes back at least as far as SamSam and the Atlanta incident.
Cybereason believes that the extensive use of open-source tools within the Phosphorus tools and techniques may demonstrate only intermediate coding skills within the group. This is potentially one of the reasons why it is unable to attribute the development of the tools used by Phosphorus to Phosphorus itself.
Related: Iran-Linked Hackers Expand Arsenal With New Android Backdoor
Related: Iranian Hackers Target Medical Personnel in US, Israel
Related: Microsoft Says Iranian Hackers Targeted Attendees of Global Policy Conferences
Related: Iran-Linked Malware Shared by USCYBERCOM

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.
More from Kevin Townsend
- Threat Actor Abuses SuperMailer for Large-scale Phishing Campaign
- Quantum Decryption Brought Closer by Topological Qubits
- IBM Delivers Roadmap for Transition to Quantum-safe Cryptography
- CISO Conversations: HP and Dell CISOs Discuss the Role of the Multi-National Security Chief
- Court Rules in Favor of Merck in $1.4 Billion Insurance Claim Over NotPetya Cyberattack
- Open Banking: A Perfect Storm for Security and Privacy?
- Apiiro Launches Application Attack Surface Exploration Tool
- Phylum Adds Open Policy Agent to Open Source Analysis Engine
Latest News
- Industrial Giant ABB Confirms Ransomware Attack, Data Theft
- Organizations Worldwide Targeted in Rapidly Evolving Buhti Ransomware Operation
- Google Cloud Users Can Now Automate TLS Certificate Lifecycle
- Zyxel Firewalls Hacked by Mirai Botnet
- Watch Now: Threat Detection and Incident Response Virtual Summit
- NCC Group Releases Open Source Tools for Developers, Pentesters
- Memcyco Raises $10 Million in Seed Funding to Prevent Website Impersonation
- New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids
