Cyber Reason reports that Iranian Hacking group Phosphorus also known as APT35 and Charming Kitten have been looking to cause damage and chaos again to innocent people, this time using Microsoft Exchange Server vulnerability ProxyShell as well as using a new stealthy PowerShell backdoor called PowerLess.
PowerLess is highly modular malware used to connect to a C2 server controlled by Phosphorus and will then used to steal browser data and perform keylogging as well as a whole host of other malicious actions.
A technical inspection revealed that first a malicious file called windowsprocesses.exe was executed and then a new file called dll.dll was loaded. This DLL file is probably inspired by the code on GitHub by farzinenddo, which runs PowerShell with the CLR. dll.dll is a .NET AES decoder with an encrypted key () * & 3dCfabE2 / 123, which then decrypts a file called upc. Upc is then used to run the latest PowerShell malicious script called PowerLess.
PowerLess malicious code
In an interesting turn of events it seems like Charming Kitten also is behind devastating Momento Ransomware as an IP address used for C2 server found in PowerLess code is also being used for Memento!
Phosphorus also known as APT35 and Charming Kitten must be stopped! 😤
No comments:
Post a Comment