The Iranian nation-state threat actor has been linked to a new wave of phishing attacks targeting Israel designed to spread an updated version of the so-called back door. Less Powerless.
Cybersecurity company Check Point is tracking clusters of activity under the control of its mystical creatures Educated manticorewhich showed “strong overlap” with hacking crews known as APT35, Handsome Cat, Cobalt Illusion, ITG18, Sandstorm Mint (formerly Phosphorus), TA453, and Garuda Kuning.
“Like many other actors, Manticore Educated has adopted recent trends and started using ISO images and possibly other archive files to start infection chains,” the Israeli company said in a technical report published today.
Active since at least 2011, APT35 has thrown a wide target net by leveraging fake social media personas, spear-phishing techniques, and N-day vulnerabilities in internet-exposed applications to gain early access and drop various payloads, including ransomware.
These developments are an indication that the adversary is continuously refining and retooling its malware arsenal to expand its functionality and resist analysis efforts, while also adopting improved methods to evade detection.
The attack chain documented by Check Point starts with an ISO disk image file that uses an Iraqi-themed lure to drop the downloader in a special memory that ultimately launches the PowerLess implant.
ISO files act as a conduit for displaying decoy documents written in Arabic, English, and Hebrew, and intended to display academic content about Iraq from a legitimate non-profit entity called the Arab Science and Technology Foundation (ASTF), which demonstrates that the research community may been the target of the campaign.
The PowerLess backdoor, previously highlighted by Cybereason in February 2022, comes with the ability to steal data from web browsers and apps like Telegram, take screenshots, record audio, and log keystrokes.
“While the new PowerLess payload remains similar, its loading mechanism has been significantly improved, adopting techniques rarely seen in the wild, such as using .NET binary files created in mixed mode with assembly code,” said Check Point.
“PowerLess (command-and-control) communications to the server are Base64 encoded and encrypted upon obtaining the key from the server. To mislead researchers, threat actors actively add three random letters to the start of the encoded blob.”
The cybersecurity firm said it also found two other archive files used as part of a different intrusion series that shared an overlap with the attack sequence mentioned above due to the use of the same Iraqi-themed PDF file.
Further analysis revealed that the infection chain emerging from these two archive files culminated in the execution of a PowerShell script designed to download the two files from a remote server and run them.
“Educated Manticore continues to evolve, perfecting previously observed tool sets and providing mechanisms,” Check Point said, adding “actors are adopting popular trends to evade detection” and are continuing to “develop custom tool sets using advanced techniques.”
“As it is the most recent version of the previously reported malware, (…) it is important to note that it may only represent the early stages of infection, with a fraction of significant post-infection activity yet to be seen in the wild.”