Iranian APT Employs POWERSTAR Backdoor Malware

Charming Kitten, a state-sponsored threat actor linked to Iran's Islamic Revolutionary Guard Corps (IRGC), has been identified as the perpetrator of a sophisticated spear-phishing campaign. The campaign delivers an updated version of a powerful PowerShell backdoor called POWERSTAR.

Volexity researchers, Ankur Saini and Charlie Gardner, reported that the malware has been enhanced with improved operational security measures, making it more challenging to analyze and gather intelligence.

Charming Kitten excels in leveraging social engineering tactics to entice targets. They create tailored fake identities on social media platforms and engage in prolonged conversations to establish trust before sending malicious links. The group is also known by various names, including APT35, Cobalt Illusion, Mint Sandstorm (formerly Phosphorus), and Yellow Garuda.

Recent attacks orchestrated by Charming Kitten have utilized additional implants such as PowerLess and BellaCiao, suggesting a diverse range of espionage tools employed to achieve their strategic objectives.

POWERSTAR in Brief

POWERSTAR, also known as CharmPower, is the latest addition to Charming Kitten's arsenal. It was initially documented by Check Point in January 2022, revealing its use in attacks exploiting the Log4Shell vulnerabilities in publicly exposed Java applications.

Since then, the backdoor has been observed in at least two other campaigns, as reported by PwC in July 2022 and Microsoft in April 2023.

Volexity, which detected a basic variant of POWERSTAR in 2021 distributed through a malicious macro embedded in a DOCM file, identified a new attack wave in May 2023. This wave employs an LNK file within a password-protected RAR file to download the backdoor from Backblaze. Moreover, measures have been taken to impede analysis.

Charming Kitten has implemented a method to separate the decryption process from the initial code, preventing future decryption of the POWERSTAR payload and adding an operational safeguard against analysis and detection.

The POWERSTAR backdoor boasts an extensive range of features, allowing remote execution of PowerShell and C# commands, establishment of persistence, collection of system information, and downloading and execution of additional modules for process enumeration, screenshot capture, file search based on specific extensions, and monitoring of persistence components.

Notably, the cleanup module has been enhanced and expanded in the updated version to erase all traces of the malware and delete registry keys related to persistence. These advancements indicate Charming Kitten's ongoing efforts to refine techniques and evade detection.

Volexity also discovered a different variant of POWERSTAR that attempts to retrieve a hard-coded command-and-control (C2) server by decoding a file stored on the decentralized InterPlanetary Filesystem (IPFS). This signifies the group's endeavor to enhance the resilience of its attack infrastructure.

Meanwhile, MuddyWater (aka Static Kitten) has employed a previously undocumented C2 framework called PhonyC2 to deliver malicious payloads to compromised hosts, coinciding with these developments.