HQ/EMEAFind out how we can help your business
The Iran-based malicious threat group, Charming Kitten, has been improving its PowerStar malware to increase the efficiency of its spear-phishing tactics. Based on reports, the new malware version has improved operational security measures that could allow it to gather information and make analysis challenging for researchers.
The researchers stated that the Charming Kitten group seeks to lessen the exposure of its malware to threat analysts and security detections by delivering the decryption method separately from the initial code. Moreover, they never write their tool to the targeted disk.
Hence, this method allowed the actors to add a new behaviour as an operational guardrail, as decoupling the decryption from its C2 server prevents a researcher from decrypting the corresponding POWERSTAR payload.
The newly improved PowerStar malware from the Charming Kitten threat group has depended on multiple features.
Charming Kitten’s PowerStar malware relies on the InterPlanetary File System and publicly available cloud hosting platform for its decryption function and configuration details.
The researchers also disclosed that the Charming Kitten group has transitioned from its previous cloud-hosting preferences to privately hosted infrastructure, such as IPFS and Backblaze.
The confirmed upgrade for the PowerStar malware is the remote execution of PowerShell and CSharp commands. In addition, the upgrades also include persistence capabilities through various tactics, multiple command-and-control channels, dynamic configuration updates, monitoring of established persistence mechanisms, and system surveillance.
Cybersecurity experts stated that the updated PowerStar malware implies that the Charming Kitten has an ongoing effort to refine its evasive capabilities and techniques. This detail also emphasises that organisations should employ new and robust cybersecurity defences to mitigate or prevent such sophisticated attacks.
Furthermore, the phishing playbook of the Charming Kitten and the power of their new malware remain consistent. These threats suggest the group is accomplishing their missions of modifying and improving its malicious capabilities.
Lastly, organisations should use the provided YARA rules to spot such activities, block the provided ICOS, and consider blocking the list of IPFS providers to protect networks from Charming Kitten’s attacks. These could mitigate and prevent such threats that could cause significant damage after successful infection.
