Charming Kitten APT Group Uses Innovative Spear-phishing Methods. Volexity researchers recently noticed that threat actors are actively intensifying their efforts to compromise the credentials or systems of their targets by employing Spear-phishing Methods.
While spear-phishing techniques involve sending personalized messages and engaging in dialogue for days before delivering malicious links or attachments.
Volexity often observes Charming Kitten, an Iranian-based threat actor, using these techniques, and their main focus is gathering intelligence through compromised credentials and spear-phishing emails.
The Charming Kitten APT group extracts additional access and attempts to shift to corporate VPNs or remote access services.
In this spear-phishing campaign, Charming Kitten was found to be distributing an updated version of the backdoor, dubbed POWERSTAR (aka CharmPower), by the security analysts at Volexity.
POWERSTAR Backdoor
Volexity analyzed the latest version of the POWERSTAR backdoor, unveiling Charming Kitten APT Group’s enhanced spear-phishing techniques and malware evolution.
However, despite all the challenges, Volexity successfully analyzed the new variant with all essential components.
Security researchers discovered a complex POWERSTAR variant, possibly aided by a custom server-side component for automated actions.
Notably, this version employs interesting features like IPFS and publicly accessible cloud hosting for decryption and configuration details.
Here below is the POWERSTAR timeline:-
Charming Kitten focused on a recent attack target, using an email address mimicking an Israeli media reporter to send a message.
However, before deploying malware, the attacker casually inquired if the target would review a document on US foreign policy, a common request resembling those from journalists seeking opinions on relevant topics.
Charming Kitten sustained interaction through a harmless email exchange with a question list, followed by the target’s answers to deepen the target’s trust.
After several days of legitimate communication, they sent a malicious LNK file embedded into a password-protected RAR file that is disguised as a “draft report” along with the password.
Phishing Operations
Here below, we have mentioned all the phishing operations that the phishing operator follows:-
- Posing as a genuine person with a verifiable public profile, initiate contact and establish a basic rapport with the target.
- The sender’s email imitates the impersonated person’s personal account, utilizing a reputable webmail service. The initial email contains no malicious content, avoiding security software detection and raising no recipient concerns.
- Upon receiving the target’s response, send a follow-up email with a series of questions, strengthening the attacker-victim rapport and trust.
- A malicious password-protected attachment is sent via a follow-up email if the target responds or remains unresponsive for some time, separating the password to restrict automated scanning and extraction.
POWERSTAR Backdoor Features
Here below, we have mentioned all the features of POWERSTAR:-
- Remote execution of PowerShell and CSharp commands and code blocks
- Persistence via Startup tasks, Registry Run keys, and Batch/PowerShell scripts
- Dynamically updating configuration settings, including AES key and C2
- Multiple C2 channels, including cloud file hosts, attacker-controlled servers, and IPFS-hosted files
- Collection of system reconnaissance information, including antivirus software and user files
- Monitoring of previously established persistence mechanisms
The POWERSTAR backdoor payload collects system info and sends it to the compromised system’s C2 address via a POST request.
In the analyzed sample, the C2 address was a subdomain on Clever Cloud, fuschia-rhinestone.cleverapps[.]io. It includes a victim identifier token for Charming Kitten’s tracking.
Volexity noticed the C2 updating the AES key dynamically, and POWERSTAR sets a random IV and sends it to C2 via the “Content-DPR” header.
While the earlier versions used a custom cipher instead of AES, which improves the operations of the malware. POWERSTAR has the capability to carry out commands using two programming languages, and here below we have mentioned them:-
- PowerShell
- CSharp
Modules with POWERSTAR Backdoor
Volexity successfully obtained access to nine modules of POWERSTAR, which are listed below:-
- Screenshot: Takes a screenshot and uploads to C2
- Processes: Enumerates running processes via “tasklist”, saves to %appdata%\Microsoft\Notepad\Processes.txt, and uploads to C2.
- Shell: Not used in any observed sample; identifies running antivirus software, writes to Shell.txt.
- Applications: Unchanged from Check Point report; retrieves installed programs by traversing registry key paths.
- Persistence: Establishes persistence for the IPFS variant of POWERSTAR via a Registry Run key
- Persistence Monitor: Checks whether various Registry keys and files dropped by POWERSTAR components are still intact; relays this information to the C2.
- System Information: Unchanged from Check Point report; executes the system info command and relays information to C2
- File Crawler: Retrieves drives via Get-PSDrive PowerShell cmdlet, and proceeds to recursively traverse all directories to search for files matching specific extensions while ignoring certain directories; metadata on identified files is relayed to the C2
- Cleanup: This module now contains seven hardcoded methods.
Since 2021, when Volexity initially detected POWERSTAR, Charming Kitten enhanced the malware to increase detection complexity.
The considerable alteration involves downloading the decryption function from remote files, making it harder to detect the malware except in memory.
Moreover, this technique gives the attacker a kill switch, which allows them to prevent further analysis of the crucial functionalities of the malware and its operations.