Charming Kitten, a nation-state actor linked to Iran’s Islamic Revolutionary Guard Corps (IRGC), has recently enhanced its cyber arsenal with an upgraded version of the PowerStar backdoor malware. The threat actor, known for its social engineering tactics and personalized spear-phishing campaigns, is continuously refining its techniques to evade detection. The latest findings from cybersecurity firm Volexity shed light on the advanced features and operational security measures employed by Charming Kitten, emphasizing the need for robust cybersecurity measures to counter such sophisticated threats.
Enhanced PowerStar Backdoor and Operational Security Measures:
Charming Kitten’s PowerStar backdoor, also referred to as CharmPower, has undergone significant improvements to impede the analysis and collection of intelligence. The malware now separates the decryption method from the initial code, ensuring it is never written to disk, thereby reducing the risk of exposure. By leveraging password-protected RAR files and utilizing a password provided in a subsequent email, Charming Kitten has made it difficult for researchers to decrypt the corresponding PowerStar payload. These operational guardrails prevent successful decryption and subsequent analysis of the malware.
PowerStar’s Extensive Features and Functionality:
The upgraded PowerStar backdoor boasts a comprehensive set of capabilities designed to facilitate the remote execution of PowerShell and C# commands. It enables the establishment of persistence, collection of system information, and the downloading and execution of additional modules for various purposes, including process enumeration, screenshot capture, file search, and monitoring of persistence components. Charming Kitten has also improved the cleanup module, which effectively erases all traces of the malware and removes related registry keys, demonstrating the group’s continued efforts to refine its techniques and evade detection.
IPFS Integration and Evolving Attack Infrastructure:
In a notable development, Charming Kitten has incorporated the InterPlanetary File System (IPFS) into its malware infrastructure. PowerStar leverages IPFS for its decryption function and configuration details, using publicly accessible cloud hosts such as Backblaze. This shift from cloud-hosting preferences, such as OneDrive and AWS S3, to privately hosted infrastructure suggests that Charming Kitten seeks to minimize exposure and potential actions against their accounts and infrastructure by using alternative providers.
Persistent Spear-Phishing Tactics and Espionage Objectives:
Charming Kitten’s spear-phishing campaigns remain consistent in their overall purpose and techniques, despite the evolving nature of the PowerStar backdoor. The threat actor employs social engineering strategies, crafting tailored personas on social media platforms, engaging in sustained conversations, and building rapport before delivering malicious links. Recent intrusions have also seen Charming Kitten utilizing other implants like PowerLess and BellaCiao, demonstrating a broad range of espionage tools at their disposal. The group’s continued success necessitates vigilance and the implementation of robust cybersecurity measures.
Conclusion:
Charming Kitten, the Iranian government-backed hacking group, continues to evolve its cyber capabilities by enhancing the PowerStar backdoor malware and refining its spear-phishing tactics. With improved operational security measures and an expanded range of tools, Charming Kitten poses a significant threat to targeted individuals and organizations. It is crucial for cybersecurity professionals to stay vigilant, employs advanced threat detection mechanisms, and implement strong defensive measures to counteract the activities of sophisticated threat actors like Charming Kitten.
