PowerLess

Malware updated 3 months ago (2024-06-14T02:17:36.404Z)
Download STIX
Preview STIX
Powerless is a malware that was deployed by Ballistic Bobcat in September 2021, as they were concluding the campaign documented in CISA Alert AA21-321A and the PowerLess campaign. The malware was introduced through a new backdoor, exploiting gaps left by traditional security measures which are often incapable of dealing with such sophisticated threats. Ballistic Bobcat also utilized the Command & Control (C&C) infrastructure from the PowerLess campaign, in addition to introducing a new C&C server. This allowed for the delivery of the next generation of Ballistic Bobcat tools, including the PowerLess backdoor and its supporting toolset. The PowerLess malware proved particularly challenging to combat due to its unique characteristics. The URLs used for downloading additional stages were dynamically generated, making it difficult to predict or block them. Furthermore, the hash of the initial payload fetched from the C2 was always unique, rendering standard blocklisting methods ineffective. Other phishing attacks launched by Charming Kitten distributed the PowerLess and NOKNOK backdoors, demonstrating the widespread impact of this malicious software. Despite improvements in law enforcement capabilities, agencies struggled to respond swiftly enough to the PowerLess threat. They were also hindered by uncooperative states like Russia, highlighting the international challenges in combating cybercrime. Traditional means were powerless against the PowerLess malware, leading to unconventional approaches such as litigation from Google against Glupteba, another malware that had grown significantly large. Overall, the PowerLess malware represents a significant and evolving threat in the cybersecurity landscape.
Description last updated: 2024-06-14T02:16:29.640Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Powerless Backdoor
5
The PowerLess Backdoor is a novel and previously undocumented malware linked to the Phosphorus group, an Iranian-aligned threat actor. This malicious software was discovered by the Cybereason Nocturnus Team in September 2021 when a victim received an updated version of the Ballistic Bobcat tools, wh
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Payload
Backdoor
Malware
Ransomware
Implant
PowerShell
Loader
State Sponso...
Espionage
Exploit
Phishing
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
IDTypeVotesProfile Description
PhosphorusUnspecified
6
Phosphorus, also known as APT35 or Charming Kitten, is a notorious Iranian cyberespionage group linked to the Islamic Revolutionary Guard Corps (IRGC). This threat actor has been involved in a series of malicious activities, employing novel tactics and tools. A significant discovery was made by the
Ballistic BobcatUnspecified
3
Ballistic Bobcat, also known as APT35, APT42, Charming Kitten, TA453, and Phosphorus, is a threat actor group believed to be aligned with Iran. The group has been active for several years, developing and deploying a series of backdoor exploits known as Sponsor (versions v1 through v4). Ballistic Bob
Charming KittenUnspecified
2
Charming Kitten, also known as APT42, Storm-2035, Damselfly, Mint Sandstorm, TA453, and Yellow Garuda, is an Iranian threat actor group that has been linked to various cyber attacks. It has targeted entities in Brazil, Israel, and the United Arab Emirates using a new backdoor, as revealed by securit
Source Document References
Information about the PowerLess Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
DARKReading
a month ago
Disney, Nike, IBM Signatures Anchor 3M Fake Emails a Day
CERT-EU
8 months ago
The State of Ransomware in the U.S.: Report and Statistics 2023 | #ransomware | #cybercrime
DARKReading
3 months ago
4 Ways to Help a Security Culture Thrive
Malwarebytes
4 months ago
Desperate Taylor Swift fans defrauded by ticket scams | Malwarebytes
CERT-EU
6 months ago
Banning ransomware payments back on the agenda | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
CERT-EU
6 months ago
ScreenConnect flaws exploited to drop new ToddleShark malware
CERT-EU
7 months ago
Novel backdoor used in Charming Kitten attacks
DARKReading
7 months ago
Glupteba Botnet Adds UEFI Bootkit to Cyberattack Toolbox
CERT-EU
8 months ago
The Best 23 Data Security Platforms to Consider in 2024
CERT-EU
8 months ago
The State of Ransomware in the U.S.: Report and Statistics 2023
CERT-EU
9 months ago
Pro-China Propaganda, Espionage Tools, Green Illusion: 2023’s Best Investigative Stories from Southeast Asia
CERT-EU
a year ago
New Sponsor Malware Attacking Government & Healthcare Organizations
ESET
a year ago
Sponsor with batch-filed whiskers: Ballistic Bobcat’s scan and strike backdoor
BankInfoSecurity
a year ago
Iranian Hackers 'Ballistic Bobcat' Deploy New Backdoor
CERT-EU
a year ago
Charming Kitten's New Backdoor 'Sponsor' Targets Brazil, Israel, and U.A.E.
CERT-EU
a year ago
Charming Kitten's New Backdoor 'Sponsor' Targets Brazil, Israel, and U.A.E.
CERT-EU
a year ago
The Unique TTPs Attackers Use To Target APIs
CERT-EU
a year ago
Sex Education Season 4 to Scam 2003: The Telgi Story — The Biggest Web Series to Watch in September
CERT-EU
a year ago
What Is Next-Generation Antivirus (NGAV) and How Does It Work?
CERT-EU
a year ago
Stories from the SOC - Unveiling the stealthy tactics of Aukill malware - Cybersecurity Insiders