Threat Management, Malware

Updated PowerLess backdoor used in Iranian hacking attacks

Iranian state-sponsored threat operation Educated Manticore which has been strongly linked with APT35, also known as Mint Sandstorm, Phosphorus, Charming Kitten, Yellow Garuda, Cobalt Illusion, and ITG18 has been targeting Israel with sophisticated phishing attacks distributing the updated PowerLess backdoor, The Hacker News reports. Attacks by Educated Manticore commence with an ISO disk image file using Iraq-themed lures to facilitate the deployment of an in-memory downloader for PowerLess malware execution, according to a Proofpoint report. While PowerLess has featured web and app data theft, screenshot capturing, keystroke logging, and audio recording capabilities since its emergence in February 2022, the backdoor used in the new campaign has been updated to have significantly better loading mechanisms, as well as leverage .NET binary files. Two additional archive files observed to have been included in another intrusion set were also found to be significantly similar to the attack sequence with the Iraq-themed lure. "Because it is an updated version of previously reported malware, [...] it is important to note that it might only represent the early stages of infection, with significant fractions of post-infection activity yet to be seen in the wild," said Proofpoint.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.