Charming Kitten Wreaks Havoc with PowerShell Backdoor

 The infamous Iranian advanced persistent threat, commonly referred to with the acronym APT, is creating significant digital security problems with its Charming Kitten attacks. Charming Kitten’s latest tools include PowerShell backdoor and a litany of clandestine tactics. In short, Charming Kitten is rapidly evolving, and the cyber security industry is struggling to keep pace. The digital security specialists who keep their fingers on the pulse of the industry believe Charming Kitten’s new tools indicate the group might be responsible for Memento ransomware.

How is Charming Kitten Evolving?

Digital security specialists with Cybereason, a cyber security company, recently highlighted Charming Kitten’s cyber-attack tools. Cybereason’s team identified a backdoor referred to as PowerLess Backdoor along with a highly specialized maneuver that facilitates the use of a .NET backdoor as opposed to one that catalyzes PowerShell activation.  
 
The Cybereason crew published its findings this past Tuesday. The toolset in question includes everything from a tool that steals browser information to malware loaders, keyloggers, and novel backdoors.

What Else is Known About Charming Kitten?

Charming Kitten is feared as it attacks at a comparably high frequency. Furthermore, Charming Kitten has the backing of the Iranian government. 
Also known as Phosphorous, Ajax Security Team, Newscaster, NewsBeef, and APT35, Charming Kitten debuted in 2018. The group targets think tanks, researchers, political activists, academicians, journalists, and politicians. 
 
The hacking collective is also problematic as it has targeted high-profile public figures, including current President Joe Biden and former President Donald Trump. To be more specific, the hackers disrupted both politicians’ campaigns.

What has Charming Kitten Been up to Lately?

Cybereason’s Nocturnus crew discovered a new variation of Charming Kitten activity when studying digital threats, including an alternating IP address tied to Iranian cyber attackers. The analysis revealed that the Iranian hackers are using several novel tools, including those characteristic of Memento ransomware.
 
Charming Kitten employs a PowerLess Backdoor, meaning a PowerShell trojan that has not been fully documented. This trojan supports the download of additional payloads, including information stealing tactics and keyloggers. Cybereason also pinpointed a novel execution of PowerShell in which the backdoor is concealed from products used to detect security threats. This PowerShell code operates within the .NET application, making it difficult to identify and thwart.  
 
It is also worth noting Cybereason has characterized the Iranian hacking collective’s attempts as open-source that use cryptography libraries to target payloads and encrypted communication. The use of such open-source tools indicates the hackers behind these unique attacks are skilled at intermediate-level coding yet have not gone to the extent of mastering the nuances of specific coding languages.

Is Charming Kitten Responsible for Memento Ransomware?

Cybereason’s digital security specialists indicate Charming Kitten likely has ties to Memento ransomware that struck targets toward the end of 2021. Though Memento ransomware was not attributed until recently, the links indicate the Iranian APT might be pivoting away from its conventional cyber-attack techniques toward new cybercrimes. Charming Kitten recently exploited an RCE weakness dubbed “ProxyShell vulnerability” within Microsoft’s Exchange servers at the same time that Memento was unleashed.
 
According to Cybereason, Charming Kitten has used harmful files and idiosyncratic URL directories that indicate the group is likely connected to Memento ransomware attacks. In particular, there are character strings created by the script used within Memento ransomware attacks. Analysis of the directory’s activity reveals the IP is a domain that functions as a memento command and control mechanism.