Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Malware & Threats

Iranian Hackers Using New PowerShell Backdoor Linked to Memento Ransomware

Attacks from the Iranian Phosphorus APT (aka Charming Kitten, APT35) are well documented. Now a new set of tools incorporated into the group’s arsenal, and a connection with the Memento ransomware, have been discovered.

Attacks from the Iranian Phosphorus APT (aka Charming Kitten, APT35) are well documented. Now a new set of tools incorporated into the group’s arsenal, and a connection with the Memento ransomware, have been discovered.

Researchers from Cybereason’s Nocturnus Team have detected a new and undocumented PowerShell backdoor that supports downloading malware such as a keylogger and an infostealer. The code runs in the context of a .NET app without launching powershell.exe and thus avoiding detection, note the researchers in a report.

The new toolset includes modular and multi-staged malware, and the group also makes use of a range of open-source tools including cryptography libraries. The infrastructure was still active at the time of the Cybereason report, and one of the IP addresses is used as a C2 for the Memento ransomware.

The toolset was discovered after the researchers detected and examined a file downloaded from a known Phosphorus IP: WindowsProcesses.exe – a loader whose sole purpose is to resolve DLLs and load another file named dll.dll.

This is a .NET AES decryptor that decodes a file named upc to execute the PowerShell code. Before this, however, the victim is assigned a unique identifier. This is sent to the C2, and an additional configuration is downloaded.

The PowerShell backdoor, named by Cybereason as PowerLess, can download a browser infostealer and a keylogger, can encrypt and decrypt data, can execute arbitrary commands, and can kill processes.

Since PowerLess is run within a .NET context, powershell.exe is not spawned. This is probably an intent to avoid PowerShell detections even though PowerShell logs are still saved. A PowerShell process is spawned if the C2 sends an instruction to kill a process.

Advertisement. Scroll to continue reading.

Typos and grammatical errors within the backdoor code suggest that the authors are not native English speakers. Although found via a Phosphorus IP, Cybereason cannot definitively say that Phosphorus was the developer of this and other tools suspected to have come from the same developer.

However, using VirusTotal to search for potentially related files, the researchers discovered other unidentified tools. Among them, Chromium F appears to be an earlier variant of the PowerLess infostealer. Sou.exe is another .NET file that is an audio recorder using the NAudio open-source library.

One of the more recent tools appears to be an unfinished ransomware development also written in .NET. So far it does no more than lock the target’s screen, with fields such as the ransom amount and the attacker’s email not yet set. The researchers note that the sample was uploaded from Iran, and postulate that it may be indicative of Phosphorus taking more interest in ransomware.

This may be illustrated by the researchers’ belief that the new Memento ransomware, discovered by Sophos in November 2021 but simply attributed to the ‘Memento Team’, is also attributable to the Iranian Phosphorus group. Using VirusTotal to research a known IP “reveals,” say the researchers, “other malicious files communicating with it, as well as unique URL directory patterns that reveal a potential connection to Memento Ransomware.”

Furthermore, the known Phosphorus activity using ProxyShell occurred in the same timeframe as the use of Memento, and at a time when Iranian threat actors were reported to be turning to ransomware. It is worth noting that the Iran/ransomware connection goes back at least as far as SamSam and the Atlanta incident.

Cybereason believes that the extensive use of open-source tools within the Phosphorus tools and techniques may demonstrate only intermediate coding skills within the group. This is potentially one of the reasons why it is unable to attribute the development of the tools used by Phosphorus to Phosphorus itself.

Related: Iran-Linked Hackers Expand Arsenal With New Android Backdoor

Related: Iranian Hackers Target Medical Personnel in US, Israel

Related: Microsoft Says Iranian Hackers Targeted Attendees of Global Policy Conferences

Related: Iran-Linked Malware Shared by USCYBERCOM

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


Several major organizations are confirming impact from the latest zero-day exploits hitting Fortra's GoAnywhere software.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.