HQ/EMEAFind out how we can help your business
An Iranian-based threat group have executed a new cybercriminal campaign that infects targets with the latest variant of the PowerLess backdoor. According to researchers, the newly discovered cluster of malicious activities called Educated Manticore is the culprit of the attacks and seemingly identical to the Phosphorus group.
Like many other hacking groups, the Educated Manticore cybercriminal campaign utilised ISO images and archive files to incorporate into their infection attacks. Moreover, the group has constantly updated its toolset and uses complex tactics such as developing [.]NET executables as Mixed Mode Assembly.
The current campaign uses the updated version of the PowerLess implant as the final payload for the attack. Additionally, the actors utilise the ISO archive as a channel to display a compromised document in Arabic, English, and Hebrew.
Researchers also noticed that the document the actors used for the attacks seems to have academic details regarding Iraq from a legitimate non-profit organisation, implying that the campaign may have emerged to target the research community.
The PowerLess backdoor has features that are not common within the threat landscape.
According to investigations, the new PowerLess backdoor is like its past variants. Still, its loading mechanisms obtained further improvements not commonly used by other malicious entities in the cybercriminal environment.
The backdoor utilises a [.]NET binary file that includes a mixed mode of assembly code. Researchers believe the malware developers developed the new version to run phishing attacks that exclusively target Iraq via ISO files to initiate the infection process.
Furthermore, analysts confirmed that the backdoor could steal data from web browsers and apps such as Telegram. The backdoor could also log keystrokes, capture screenshots, and record audio.
Lastly, the PowerLess backdoor encodes and encrypts its communication to the server using base64 after acquiring a key from the server. The malware operators have also added three random letters at the initials of the encoded blob to deceive researchers.
The Educated Manticore campaign has evolved and upgraded its toolsets and propagation tactics. Researchers admit that the current variant is not the final stage of the upgrading procedures but only the first phase of upgrades.
Organisations should look out for this new threat as it could inflict significant damage as it continues to evolve.
