Iranian state-sponsored threat operation Charming Kitten, also known as APT35, Mint Sandstorm, Cobalt Illusion, and Yellow Garuda, has launched a new wave of spear-phishing attacks deploying the POWERSTAR backdoor since May, according to The Hacker News.
Additional measures to prevent detection have been employed by Charming Kitten in the latest POWERSTAR attacks, which involved the use of an LNK file within a password-protected RAR file to facilitate backdoor download from Backblaze, a report from Volexity revealed.
Researchers also discovered that the backdoor does not only allow remote PowerShell and C# command execution but also the collection of system data and screenshots, as well as further module downloads and execution, while removing persistence-related registry keys and other indicators of malicious activity. Another POWERSTAR variant that allows hard-coded C2 server retrieval through decentralized InterPlanetary Filesystem-stored file decoding.
"The references to persistence mechanisms and executable payloads within the POWERSTAR Cleanup module strongly suggests a broader set of tools used by Charming Kitten to conduct malware-enabled espionage," said researchers.
There has been no evidence that individuals with the Biden campaign responded to the unsolicited emails, according to the agencies, which noted that U.S. media organizations have also been provided with Trump campaign-related information by the hackers.
After establishing trust with targets via spear-phishing emails purporting to be job openings for senior-/manager-level employees in high-profile companies, UNC2970 proceeded to deliver a malicious ZIP file masquerading as a job description, an analysis from Google Cloud's Mandiant revealed.
More than 260,000 devices have been part of the Mirai-based botnet, which has been controlled by the Integrity Technology Group using IP addresses of the China Unicom Beijing Province Network, most of which were from the U.S.