Our friends over at Cybereason published two new studies today (February 1st, 2022) regarding recent exploits from Iranian hacking groups Phosphorus and Moses Staff, both of which, if left unchallenged by cybersecurity professionals, could lead to heaps of problems.
The articles, which are linked to above, illustrate the lengths Iranian hackers are willing to go to further Tehran’s geopolitical agenda against enemies around the world, including the United States, Israel, and more. Keep reading to see a breakdown of what exactly’s going on.
Phosphorus (aka Charming Kitten, APT35)
Known for attacking researchers, both medical and academic, and interfering with US presidential elections, Phosphorus is back with a vengeance.
Cybereason’s research teams have noticed the group has incorporated a new set of tools into their bag of tricks. One is a novel PowerShell backdoor they call PowerLess Backdoor. The sneaky technique is used by Phosphorus to avoid PowerShell detection by running PowerLess in a .NET context rather than spawning the PowerShell process.
Cybereason also believes there’s a connection between Phosphorus and the Memento Ransomware that first appeared in 2021. Ultimately, there’s more in the report but we’re reposting the most important bits below.
Key Findings:
- Novel PowerShell Backdoor: A novel and previously undocumented PowerShell backdoor related to the Phosphorus group was discovered by the Cybereason Nocturnus Team and dubbed PowerLess Backdoor. It supports downloading additional payloads, such as a key-logger and an info stealer.
- Evasive PowerShell Execution: The PowerShell code runs in the context of a .NET application, thus not launching “powershell.exe” which enables it to evade security products.
- Modular Malware: The toolset analyzed includes extremely modular, multi-staged malware that decrypts and deploys additional payloads in several stages for the sake of both stealth and efficacy.
- Highly Active Infrastructure: At the time of writing this report, some of the IOCs remained active delivering new payloads.
- Wide Range of Open Source Tools: A lot of the activity observed involved a variety of publicly available tools, such as cryptography libraries, weaponizing them for payloads and communication encryption.
- Shared IOCs with Memento Ransomware: One of the IP addresses serves a domain that is being used as command and control (C2) for the recently discovered Memento Ransomware.
- Phosphorus Threat Group: The Phosphorus Threat Group was previously spotted attacking research facilities in multiple regions such as the US, Europe, and the Middle East. The group is known to be behind multiple cyber espionage and offensive cyberattacks, operating in the interest of the Iranian regime, leveraging cyberwarfare in accordance with Iran’s geopolitical interests.
- Use of Publicly Available Exploits: The Phosphorus Group was first seen exploiting the ProxyShell vulnerability, and later on the Log4j vulnerability as well, utilizing fresh exploits in the wild.
Moses Staff
First spotted in October of 2021, the Moses Staff group has primarily been targeting Israeli businesses to steal and expose sensitive information. That’s not to say the group is exclusively targeting Israel, they’ve been seen going after companies across the world, including those in Chile, Germany, India, Italy, Turkey, the UAE, and the US.
Cybereason’s research uncovered a new Remote Access Trojan (RAT) called StrifeWater designed to remove itself from infected systems in order to cover the group’s tracks. StrifeWater also includes other capabilities like command execution, screen capturing and the ability to download additional extensions.
According to Cybereason, the StrifeWater RAT is used during the initial stage of an attack. Once their target is infected, the group goes about stealing sensitive data. To add insult to injury, after stealing the data they infect the computers with ransomware. The difference here is Moses Staff isn’t looking for any kind of financial payout; they’re looking to sabotage and inflict as much damage as possible.
Essentially a scorched earth policy.
Key Findings:
- Novel Remote Access Trojan: A newly undocumented RAT dubbed StrifeWater assessed to be part of the arsenal used by Iranian APT Moses Staff. The RAT is assessed to be specifically used in the initial phase of infection and is later replaced with other tools
- Various Functionality: The StrifeWater RAT has various capabilities, among them: listing system files, executing system commands, taking screen captures, creating persistence, and downloading updates and auxiliary modules.
- Under the Radar: The StrifeWater RAT appears to be removed from the infected environment in time for the deployment of the ransomware. This is likely the reason the RAT was not detected before.
- State-Sponsored Ransomware: Moses Staff employs ransomware post-exfiltration not for financial gain, but to disrupt operations, obfuscate espionage activity, and to inflict damage to systems to advance Iran’s geopolitical goals.
- Victims Across the Globe: The Moses Staff list of victims includes multiple countries and regions, among them: Israel, Italy, India, Germany, Chile, Turkey, UAE, and the US.
As with the Phosphorus group, there’s more in the Moses Staff article over at Cybereason’s website that contains more technical information.
Like our blog? Subscribe using the CTA in the upper right-hand corner of this page. Feel like sharing your thoughts with us? Use the comment section below.
