Recently, researchers have discovered
an increase in attacks by the Phosphorus (also known as Charming Kitten, APT35) organization. The industry has repeatedly discovered that this organization has launched attacks on institutions or individuals from all walks of life, and even interfered in the US presidential election.
Researchers at Cybereason recently discovered that APT35 uses PowerLess
a new PowerShell backdoor called . This backdoor
circumvents PowerShell security detection by running directly in the .NET context rather than spawning a PowerShell process.
The new PowerShell backdoor is not the only new toolset being used in attacks
, but also malware loaders, browser stealers and keylogging tools. Recently, the organization has frequently used open source tools in attacks
start from what is known
The IP address 162.55.136.20
has been identified by many parties, including the US National Emergency Response Center (USCERT), as the attack infrastructure used by the APT35 organization.
Among the files downloaded from this IP address, WindowsProcesses.exe
a file named:
associated files
According to the detection results of VirusTotal, this file was detected by 35/68 engines:
Test results
WINDOWSPROCESSES.EXE
The file named WINDOWSPROCESSES.EXE
is a 64-bit Loader that is used to resolve %windir%\Temp\dll.dll
paths to
DLL files.
[The external link image transfer failed. The source site may have an anti-leeching mechanism. It is recommended to save the image and upload it directly (img-h4M2YWNk-1690462473135)(https://image.3001.net/images/20220207/1644210553_6200a979a477966ba1038.png!small )]Implementation process
After parsing the relevant DLL files and API calls, start execution dll.dll
:
main code
The attacker may have borrowed public code snippets
on GitHub and used the CLR to run PowerShell at runtime . The attacker retained this code named , and its PDB path is .Powerless
C:\\Users\\pugna\\Desktop\\126\\V1\\PowerLessCLR\\x64\\Release\\PowerLessCLR.pdb
dll.dll
dll.dll
is an AES decryptor written in .NET that uses a hard-coded key ()*&3dCfabE2/123
to decrypt another upc
file named , and ultimately executes
PowerShell code.
file code
[The external link image transfer failed. The source site may have an anti-leeching mechanism. It is recommended to save the image and upload it directly (img-ZGyMBlUj-1690462473136)(https://image.3001.net/images/20220207/1644210555_6200a97b830bbec93b972.png!small )]File code
upc
The data blocks in the upc file are multi-layered encrypted and need to be decrypted in stages using base64 and AES ECB algorithms.
The decryption key looks like this:
()*&3dCfabE2/123
0123654789mkiujn
25sL(*14@#SDFCgd
Before decrypting the PowerShell backdoor, a unique identifier is generated for the compromised host and sent to the C&C server to download the configuration file.
C&C
Communications
PowerLess
After all decryption is complete, the PowerLess backdoor will be executed:
Backdoor command analysis
PowerLess has the following main features:
Download and execute additional malware
Use encrypted C&C channels
Any command execution
Terminate process
Steal browser data
keylogging
The backdoor runs in the context of .NET and does not spawn powershell.exe
processes.
Process detection
But when the backdoor receives a command to terminate the process, the backdoor will instead generate the powershell.exe` process.
Part of the code
There are a lot of spelling and grammatical errors in the code, and it can be assumed that the backdoor developer's native language is not English.
Log spelling errors
keylogging
One of the modules that the PowerLess backdoor can download is a keylogging tool written in .NET:
Part of the code
Keylogging logs are stored in “C:\\Windows\\Temp\\Report.06E17A5A-7325-4325-8E5D-E172EBA7FC5BK
:
Log path
information theft
Another module is an information stealing tool, also written in .NET. Read the database files of Chrome and Edge browsers, encrypt them and write them in JSON format.
Part of the code
Logs are stored in C:\\Windows\\Temp\\cup.tmp
.
Log path
Other tools
In addition to PowerLess, researchers also discovered other tools. Although there is currently no definite evidence that they all come from APT35, researchers believe that they are from the same developer.
According WindowsProcesses.exe
to the PDB path
C:\Users\pugna\Desktop\126\V1\PowerLessCLR\x64\Release\PowerLessCLR.pdb
:
PDB
path
Search prefix discovery for other tools:
Other samples
Chromium F
Chromium F.exe
It is a browser information stealing program with similar functions to the aforementioned module.
[The external link image transfer failed. The source site may have an anti-leeching mechanism. It is recommended to save the image and upload it directly (img-mTGPW03T-1690462473138)(https://image.3001.net/images/20220207/1644210569_6200a989ccf8ad920ab93.png!small )] part of the code
Sou.exe
Sou.exe
NAudio
Modified based on the open source recording program.
Part of the code
new sample
The new sample, possibly from the same developer, seems to be an unfinished ransomware sample, also
developed based on .NET, and currently only has the lock screen function. The filling settings of the ransom, email and other fields have not been completed. The sample was uploaded in Iran, and it is possible that the attackers are planning to use ransomware.
Sample upload information
Ransomware screenshot
FRP Loader
Among the ProxyShell attacks exploited in the past, the most active IP is 148.251.71.182
. Recently, it was discovered that this IP began to exploit the Log4j vulnerability to launch attacks.
Related documents
Among them, RCE
a Java Loader is used to use the corresponding version of the FRP program according to the operating system.
RCE
file
There are two variants of Loader. It checks the file delimiter of the operating system to determine the operating system, then downloads the Payload and performs persistence.
Part of the code
PowerShell
Another way is
to deliver it through PowerShell code, which is converted into an executable file by open source toolsPs1 To Exe
.
File information
Loader will create scheduled tasks for FRP. The complete process tree is as follows:
[The external link image transfer failed. The source site may have an anti-leeching mechanism. It is recommended to save the image and upload it directly (img-O8VJ1E73-1690462473140)(https://image.3001.net/images/20220207/1644210579_6200a993edec243316217.png!small )] process tree
Ransomware
Another IP address disclosed by the US National Emergency Response Center (USCERT) 91.214.124.143
is associated with the Memento ransomware.
Related information
Related information
in conclusion
The attacker enabled the new PowerShell backdoor
PowerLess, but the attacker may lack professional coding experience. Provides tracking clues for analysts, such as reusing known attack infrastructure, retaining PDB paths, etc.
Reference sources
[Cybereason](https://www.cybereason.com/blog/powerless-trojan-iranian-apt-
phosphorus-adds-new-powershell-backdoor-for-espionage)
Professional coding experience. Provides tracking clues for analysts, such as reusing known attack infrastructure, retaining PDB paths, etc.
Network Security Engineer Enterprise Level Learning Route
At this time, of course you need a systematic learning route
If the picture is too large and has been compressed by the platform, making it difficult to see clearly, you can download it at the end of the article (free of charge), and everyone can learn and communicate together.
Some self-study introductory books on network security that I have collected
Some good video tutorials I got for free:
You can receive the above information by [clicking on the card below] and share it for free.