Charming Kitten Sharpens Its Claws with PowerShell Backdoor

The notorious Iranian APT is fortifying its arsenal with new malicious tools and evasion tactics and may even be behind the Memento ransomware.

The Iranian advanced persistent threat (APT) Charming Kitten is sharpening its claws with a new set of tools, including a novel PowerShell backdoor and related stealth tactics, that show the group evolving yet again. The new tools may signal that it’s getting ready to pounce on new victims, researchers believe.

Researchers at cybersecurity firm Cybereason discovered the tools, which include a backdoor they dubbed “PowerLess Backdoor,” as well as an evasive maneuver to run the backdoor in a .NET context rather than as one that triggers a PowerShell process, the Cybereason Nocturnus Team wrote in a report published Tuesday.

“The Cybereason Nocturnus Team was able to identify a new toolset that includes a novel backdoor, malware loaders, a browser info stealer, and a keylogger,” Cybereason Senior Malware Researcher Daniel Frank wrote in the report.

The team also identified links between Charming Kitten and the Memento ransomware that emerged late last year and until now has been unattributed, signaling that the APT may be moving beyond its typical cyberespionage tactics and into new cybercriminal

Read More: