Charming Kitten, a threat actor believed to be operating from Iran, has been found to be evolving the PowerStar backdoor malware alongside advanced spear-phishing techniques.
Cybersecurity firm Volexity discussed the findings in an advisory published Wednesday, noting that the new version of PowerStar has improved operational security measures, making analysis and information gathering more difficult. said to be clear.
Volexity researchers Ankur Saini and Charlie Gardner said, “Charming Kitten provides a decryption method that is separate from the initial code and never written to disk, exposing the malware to analysis and detection. We tried to limit the
“This also has the added benefit of acting as an operational guardrail. By decoupling the decryption method from the command and control (C2) server, future successful decryption of the corresponding POWERSTAR payload can be prevented. .”
Charming Kittens: Read more about the nine lives of state-attackers’ Charming Kittens
The updated malware relies on the InterPlanetary File System (IPFS) and publicly accessible cloud hosting for decryption capabilities and configuration details.
At the same time, Charming Kitten has been observed moving away from previous cloud hosting setups (OneDrive, AWS S3, Dropbox) in favor of privately hosted infrastructure (Backblaze and IPFS).
“This group may believe that this makes their tools less likely to be exposed, or that other providers are less likely to act against their accounts and infrastructure.” Saini and Gardner explained.
The latest version of PowerStar provides remote execution of PowerShell and CSharp commands, various methods of persistence, dynamic configuration updates, multiple C2 channels, system reconnaissance, and monitoring of established persistence mechanisms.
According to Volexity, this updated malware highlights Charming Kitten’s continued efforts to hone its techniques and evade detection, highlighting the need for robust cybersecurity measures to combat advanced threats. doing.
The advisory states, “The general phishing playbook used by Charming Kitten and the overall purpose of POWERSTAR are consistent.” “This suggests that Charming Kitten has been successful enough that these aspects of its operations do not need to change.”
To protect against this threat, Volexity uses the provided YARA rules to detect related activity, blocks the provided IOCs, and if your organization does not require its use, this list of IPFS providers. recommended that you consider blocking This is because IPFS providers can be misused as malicious hosts by malware authors. File.
The Volexity report comes months after Zscaler highlighted new discoveries of threat actors targeting IPFS infrastructure.
