According to a recent security report, a group of Iranian hackers has been identified as the source of a new wave of phishing attacks designed to distribute an updated version of the well-known hacking backdoor called “PowerLess.” Check Point, a security company, actively monitors the situation and tracks the group’s activities under the “Educated Manticore.” This group has been linked to several other hacking crews, including APT35, Charming Kitten, Cobalt Illusion, ITG18, Mint Sandstorm, Yellow Garuda, and TA453. Previous reports from 2011 indicate that APT35 employs various tactics, such as creating fake social media profiles, spear-phishing techniques, and exploiting N-day vulnerabilities in public-facing applications to gain access and execute attacks.
Check Point has reported that Educated Manticore, like many other threat actors, is now utilizing ISO images and other archive files to initiate infection chains. Despite this new tactic, the group has maintained professionalism by continually changing its malware arsenal to expand functionality and avoid detection through enhanced protocols. Check Point’s analysis of the attack showed that the process begins with an ISO disk image file using Iraq-themed lures to drop a custom in-memory downloader that launches the PowerLess implant. The ISO file also displays a decoy document in Arabic, Hebrew, and English to deceive users. Further investigation of the attack suggests that the Arab Science and Technology Foundation (ASTF) may be the target of the threat actors.
In February of 2022, an updated version of the PowerLess backdoor was released that could steal data from web browsers, take screenshots, log keystrokes, and record audio. According to Check Point, subsequent reports confirmed that this updated version of PowerLess could do these actions. While the new version of PowerLess functions similarly to previous versions, it has significantly improved loading mechanisms that utilize techniques rarely seen in the wild, such as using .NET binary files created in mixed mode with assembly code. Additionally, PowerLess’ command-and-control communication to the server is Base64-encoded and encrypted. The threat actor actively adds three random letters at the beginning of the encoded blob to mislead researchers. Check Point also uncovered two archive files that are crucial to the infection chain. Despite Educated Manticore’s continued success, Check Point predicts their success may not last much longer.