Over the past months, the Cybereason Nocturnus Team observed an uptick in the activity of the Iranian attributed group dubbed Phosphorus (AKA Charming Kitten, APT35), known for previously attacking medical research organizations in the US and Israel in late 2020, and for targeting academic researchers from the US, France, and the Middle East region back in 2019.
They have also previously targeted human rights activists, the media sector, and interfered with the US presidential elections.
Towards the end of 2021, multiple attacks were carried out exploiting the notorious Microsoft Exchange Server vulnerabilities chained together and referred to as ProxyShell, which ultimately enabled multiple threat actors to deploy malware on their targets’ networks. There have been several reports detailing the exploitation of these vulnerabilities by Iranian state sponsored threat actors, among them the Phosphorus APT group carrying out ransomware attacks.
Cybereason researchers recently discovered a new set of tools which were developed by the Phosphorus group and incorporated into their arsenal, including a novel PowerShell backdoor dubbed PowerLess Backdoor. Our research also highlights a stealthy technique used by the group to avoid PowerShell detection by running the PowerShell Backdoor in a .NET context rather than spawning the PowerShell process.
In addition, several interesting connections were found between the Phosphorus group and the Memento Ransomware that first emerged in late 2021. (Related Iranian APT research: StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operations).
Following up on both public and non-public intelligence that is available to Cybereason in regard to the Phosphorus threat actor, the Cybereason Nocturnus Team was able to identify a new toolset that includes a novel backdoor, malware loaders, a browser info stealer, and a keylogger.
It is worth noting that some of the more recent methods that were observed in attacks attributed to the Phosphorus group included open-source tools such as the famous DiskCryptor library and also BitLocker, along with the Fast Reverse Proxy which is used for RDP proxying.
The following sections will detail the discovery process and analysis of the newly identified tools.
The journey to the discovery of the new toolset started with threat intelligence efforts that included pivoting on an IP address (162.55.136[.]20) that was already attributed to Iranian threat actors by multiple sources, including US CERT.
While examining different files that were downloaded from this IP address, we stumbled upon a file named “WindowsProcesses.exe”:
WindowsProcesses.exe hosted on the abovementioned IP
The file seems to have only been detected by 35/68 antivirus vendors, according to VirusTotal:
WindowsProcesses.exe details as seen in VirusTotal
This file, entitled “WindowsProcesses.exe” is a 64-bit executable loader whose sole purpose is to resolve relevant DLLs and load another file from the “%windir%\Temp” path entitled “dll.dll”:
WindowsProcesses and related modules execution diagram
Once the relevant DLLs (mostly related to .NET runtime libraries) and API calls are resolved, dll.dll is executed:
The main code of WindowsProcesses.exe
By the looks of it, the authors could have been inspired by a code snippet found publicly available on GitHub, which facilitates running PowerShell with CLR in native runtime. The snippet is named “Powerless”, and the authors seem to have kept that naming convention, as shown in the PDB path of the binary:
C:\\Users\\pugna\\Desktop\\126\\V1\\PowerLessCLR\\x64\\Release\\PowerLessCLR.pdb
Dll.dll is a simple .NET AES decryptor that uses a hardcoded key “()*&3dCfabE2/123” to decode another file named “upc” to ultimately execute PowerShell code from the decrypted object:
The code of dll.dll
The upc encrypted BLOB is decrypted using dll.dll, and contains multiple encryption layers that all are decrypted in stages using base64 and AES ECB decryption.
The keys that are being used for decryption are as follows:
Prior to decrypting the PowerShell backdoor, an intermediate stage takes place when the victim’s machine is assigned a unique identifier which is sent to the C2, which downloads an additional configuration:
The intermediate stage during the PowerLess backdoor decryption
After all the AES encrypted layers are decrypted, the PowerLess backdoor is executed:
PowerLess backdoor command parsing code segment
The PowerLess backdoor is equipped with the following capabilities:
It is worth mentioning that the backdoor is being run within a .NET context, so therefore it does not spawn “powershell.exe”. This behavior can be interpreted as an attempt to evade certain PowerShell detections, although PowerShell logs are being saved on the machine:
Windows Processes and the malicious loaded module “dll.dll” as seen in the Cybereason XDR Platform
Oddly enough, there is a part of the code in the PowerLess Backdoor, that do spawn a powershell.exe process, when the request to kill a process is received from the C2:
A part of the PowerLess Backdoor that spawns powershell.exe
It can be assumed that the native language of the backdoor’s authors is likely not English given the abundance of typos and grammatical mistakes found in the code:
PowerLess backdoor logging
One of the modules downloaded by the PowerLess backdoor is a keylogger that is written in .NET. It’s core functionality is quite simple, consisting of hooks and the logging of the user’s keystrokes:
Partial code from the keylogger module
The logs are being stored in the following path: "C:\\Windows\\Temp\\Report.06E17A5A-7325-4325-8E5D-E172EBA7FC5BK":
Logs path of the keylogger module
Another module is a browser info stealer, which is also written in .NET, and includes the BouncyCastle crypto library. It also uses an SQLite data reader object for Chrome and Edge browser database files. In the staging phase, the data is encrypted and written in JSON format for exfiltration:
Partial code from the info stealer module
The logs are being stored in the following path: “C:\\Windows\\Temp\\cup.tmp”:
Logs path of the stealer module
In addition to the newly discovered PowerLess Backdoor, other tools were identified by the Nocturnus Team which are suspected to originate from the same developer. However, at this point in time there isn't enough evidence to conclusively tie these tools to Phosphorus with a high level of confidence.
Looking at the PE info of “WindowsProcesses.exe”, the below PDB path is present: “C:\Users\pugna\Desktop\126\V1\PowerLessCLR\x64\Release\PowerLessCLR.pdb”:
The PDB path from WindowsProcesses.exe
Searching for the prefix “C:\Users\pugna” returns other unidentified tools:
Artifacts found in VirusTotal with the search “C:\Users\pugna”
“Chromium F.exe” is yet another .NET browser info stealer. Although the code is different, by the functionality it is similar to the abovementioned info stealer module, leading us to assess that it might be an earlier variant:
Code segment from Chromium F.exe
“Sou.exe” is another .NET file, but this time it’s an audio recorder which uses the NAudio open source library:
Code segment from Sou.exe
One of the more recent tools that was allegedly from the same developer is what appears to be an unfinished Ransomware variant. It is also written in .NET and at this point doesn’t do anything except locking the target’s screen. As can be seen, the fields like the ransom amount and attacker’s email are yet to be set. Although unfinished, it is worth mentioning that the sample was uploaded from Iran via web, and it might imply yet another step in the direction of this threat actor towards ransomware:
Unfinished ransomware sample uploaded to VirusTotal from Iran
The unfinished ransomware locker screen
Analysis of FRP Loaders
One of the more active IPs that was reported in the ProxyShell attacks was 148.251.71[.]182. In addition, another recent report mentions this IP address as part of an active exploitation of the Log4j vulnerability:
Files found on the IP address 148.251.71[.]182
The “symantec” and “update” themed files all serve the FRP again. The “RCE” links, on the other hand, serve a Java loader that distinguishes the victim machine’s operating system and drops the appropriate version of FRP:
The Java RCE class
There are two slightly different variations of the loader, but eventually they check for the file separator of the OS, which is “/” in case it’s Linux or “\” in Windows, and then downloads the payload and creates persistence:
Content of the malicious Java class
Another loader which eventually delivers FRP is PowerShell code converted to an executable by the “Ps1 To Exe” freeware that is available for download on public forums, where less technical people can successfully use it:
Information about one of the FRP loaders
Finally, the loader creates a scheduled task for FRP, of course while being dependent on the OS type.
A full process tree of a real time attack that exploits the ProxyShell vulnerability and deployment of the FRP modules, can be seen below:
A real time FRP staging and execution as seen in the Cybereason XDR Platform
Once the attackers exploited the vulnerable Microsoft Exchange Server, they downloaded the FRP module, ran multiple reconnaissance commands, created persistence, dumped credentials using a known LOLBIN technique (Comsvcs.dll), and attempted to move laterally, as can be seen in the above Cybereason XDR Platform image.
Another IP that appears in US CERT’s list is 91.214.124[.]143. Searching it in VirusTotal reveals other malicious files communicating with it, as well as unique URL directory patterns that reveal a potential connection to Memento Ransomware:
Some of the Memento IOCs that are suspected to be related to Phosphorus
FRP named “Connector3.exe” from US CERT report
In this report, the Cybereason Nocturnus Team detailed a previously undocumented PowerShell backdoor dubbed PowerLess, used by the Iranian APT Phosphorus in recent attacks. This research also provided further details regarding the group’s tools and techniques, including the use of publicly available tools and a combination of coding languages.
The extensive usage of open source tools that is assessed to demonstrate the intermediate coding skills of the attackers. The use of various programming languages also might point to a lack of specialization in any specific coding language. This research also highlights how important it is for threat intelligence analysts to “follow the breadcrumbs,” such as pivoting on known infrastructure or the PDB paths left by the attackers in this case, in order to pave the way for discovering additional tools and connections to other operations.
Finally, a connection between Phosphorus and the Memento ransomware was also found through mutual TTP patterns and attack infrastructure, strengthening the connection between this previously unattributed ransomware and the Phosphorus group.
The Cybereason XDR Platform detects and blocks the PowerLess Trojan and other advanced TTPs used in this operation. Cybereason is dedicated to teaming with defenders to end attacks on the endpoint, across enterprise, to everywhere the battle is taking place.
|
Discovery |
Collection |
Command and Control |
Credential Access |
|
|
Application Layer Protocol: Web Protocols |
||
|
Data Encoding: Standard Encoding |
|||
|
Encrypted Channel: Symmetric Cryptography |
|||
DANIEL FRANK
Daniel Frank is a senior Malware Researcher at Cybereason. Prior to Cybereason, Frank was a Malware Researcher in F5 Networks and RSA Security. His core roles as a Malware Researcher include researching emerging threats, reverse-engineering malware and developing security-driven code. Frank has a BSc degree in information systems.
The Cybereason Nocturnus Team has brought the world’s brightest minds from the military, government intelligence, and enterprise security to uncover emerging threats across the globe. They specialize in analyzing new attack methodologies, reverse-engineering malware, and exposing unknown system vulnerabilities. The Cybereason Nocturnus Team was the first to release a vaccination for the 2017 NotPetya and Bad Rabbit cyberattacks.
All Posts by Cybereason Nocturnus
The highly-targeted attacks against aerospace and telecoms firms by new Iranian threat actor MalKamak includes newly discovered malware that evaded security tools since 2018 and abuses Dropbox services for command and control...
Cybereason discovered an undocumented RAT dubbed StrifeWater attributed to Iranian APT Moses Staff who deploy destructive ransomware following network infiltration and the exfiltration of sensitive data...
