The Iran-linked threat group known as APT35 (aka Charming Kitten, Imperial Kitten, or Tortoiseshell) has updated its cyberattack arsenal with improved abilities to hide its actions, as well as an upgraded custom backdoor that it’s distributing via a spear-phishing campaign.
The advanced persistent threat (APT) has been alleged to be operating out of Iran and primarily concerned with collecting intelligence by compromising account credentials and, subsequently, the email of individuals they successfully spear-phish.
According to a blog post published by Volexity, the group has recently attempted a spear-phishing campaign targeting an Israeli journalist with a “draft report” lure. The “draft report” was a password-protected RAR file containing a malicious LNK file which downloaded a backdoor.
The incident was a highly targeted attack; prior to sending malware to the victim, the attackers asked if the person would be open to reviewing a document they had written related to US foreign policy. The target agreed to do so, since this is not an unusual request in the journalism line of work, but APT35 didn’t send it right away — instead, the attackers continued the interaction with another benign email containing a list of questions, to which the target then responded with answers. After multiple days of benign and seemingly legitimate interaction, the attackers finally sent the “draft report” loaded with malware.
Toby Lewis, global head of threat analysis at Darktrace, says APT35’s targeting profile is very much in the theme of what you’d expect to see from a group associated to the Iranian government. He says: “This is a group that’s trying to be bespoke, be stealthy, and stay under the radar, and so to do that you’re also going to really focus your social engineering to try and improve that return on the investment.”
PowerStar Malware & Evolving Spear-Phishing Techniques
In this most recent campaign, it delivered the PowerStar malware — an updated version of one of its known backdoors, known as CharmPower — which it sent via an email containing an .LNK file inside a password-protected .RAR file.
When executed by a user, the .LNK file downloads PowerStar from the Backblaze hosting provider and attacker-controlled infrastructure, according to Volexity’s report. PowerStar then collects a small amount of system information from the compromised machine and sends it via a POST request to a command-and-control (C2) address downloaded from Backblaze.
Volexity believes this variant of PowerStar to be especially complex, and suspects that it is likely supported by a custom server-side component, which automates simple actions for the malware operator. Also, a decryption function is downloaded from remotely hosted files which hinders detection of the malware outside of memory and gives the attacker a kill switch to prevent future analysis of the malware’s key functionality.
“With PowerStar, Charming Kitten sought to limit the risk of exposing their malware to analysis and detection by delivering the decryption method separately from the initial code and never writing it to disk,” the company said. “This has the added bonus of acting as an operational guardrail, as decoupling the decryption method from its command-and-control server prevents future successful decryption of the corresponding PowerStar payload.”
Lewis says that quest for return on investment for APT groups sometimes drives relatively unsophisticated, low-effort campaigns, but more often, “you’ve got groups that are going to get as sophisticated as they need to be to meet their objectives.” What that means can run the gamut: Some will be able to develop zero days, as opposed to just using something they got from somebody else; others will demonstrate sophistication in how they manage and control their infrastructure.
The latter is the case with APT35. “When you’ve got the trade craft that we’ve got this group using, effectively bringing down custom payloads, it’s bringing down different modules from third party services,” he says. “Each different payload is going to be a little bit different, a little bit tweaked, and a little bit tuned, and … that sort of approach is absolutely what you’d expect to see.”
Nonetheless, Volexity researchers said they regularly observe operations from the APT, but finds the group to rarely deploy malware as part of their attacks. “This sparing use of malware in their operations likely increases the difficulty of tracking their attacks,” according to the firm.
APT35 has been active for more than a decade. According to a 2021 blog from Darktrace, APT35 has in that time launched extensive campaigns against organizations and officials across North America and the Middle East; public attribution has characterized APT35 as an Iran-based nation state threat actor. Recent campaigns were suspected to be in service to Iran’s potential physical targeting of dissenters for kidnapping and other kinetic ops.