PowerLess

Malware updated 11 days ago (2024-10-17T12:05:04.564Z)

Download STIX

Preview STIX

Powerless is a malicious software (malware) that was deployed by Ballistic Bobcat in September 2021, during the wrap-up of the campaign documented in CISA Alert AA21-321A. This malware was introduced as part of the PowerLess campaign, which involved the use of a new command and control (C&C) server. The PowerLess backdoor and its supporting toolset were delivered to victims through phishing attacks, often disguised as fake emails. Traditional blocklisting methods proved ineffective against this malware, as the URLs used for downloading additional stages were dynamically generated and the hash of the initial payload fetched from the C2 was always unique. Imperva Data Security Fabric (DSF), a data-centric protection solution for enterprises, was found to be powerless against threats like Powerless. These threats include data handling mistakes, malicious insiders, and attack exploits leveraging compromised account credentials. Despite advancements in law enforcement capabilities, they were unable to act swiftly enough against such cyber threats, particularly those originating from non-cooperative states like Russia. Conventional means also failed to halt the spread of similar malware, such as Glupteba, leading to litigation from companies like Google. Victims of the Powerless malware often felt helpless, witnessing some of their friends and family falling for related scams. Nati Tal, head of Guardio Labs, noted that despite the challenges, they were not entirely powerless, managing to detect millions of fake emails impersonating their brands. Despite these efforts, the culture of blame that often follows such breaches can leave teams feeling powerless. It's crucial to remember that fostering a supportive environment is key to overcoming such cybersecurity challenges.

Description last updated: 2024-10-17T11:41:50.240Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Powerless Backdoor is a possible alias for PowerLess. The PowerLess Backdoor is a novel and previously undocumented malware linked to the Phosphorus group, an Iranian-aligned threat actor. This malicious software was discovered by the Cybereason Nocturnus Team in September 2021 when a victim received an updated version of the Ballistic Bobcat tools, wh	5

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Payload

Backdoor

Malware

Ransomware

Implant

PowerShell

Loader

State Sponso...

Espionage

Exploit

Phishing

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Phosphorus Threat Actor is associated with PowerLess. Phosphorus, also known as APT35 or Charming Kitten, is a prominent threat actor linked to the Islamic Revolutionary Guard Corps (IRGC) of Iran. The group is notorious for its cyberespionage activities and has been actively targeting high-profile individuals involved in Middle Eastern affairs at univ	Unspecified	6
The Ballistic Bobcat Threat Actor is associated with PowerLess. Ballistic Bobcat, also known as APT35, APT42, Charming Kitten, TA453, and Phosphorus, is a threat actor group believed to be aligned with Iran. The group has been active for several years, developing and deploying a series of backdoor exploits known as Sponsor (versions v1 through v4). Ballistic Bob	Unspecified	3
The Charming Kitten Threat Actor is associated with PowerLess. Charming Kitten, also known as APT42, Storm-2035, Damselfly, Mint Sandstorm, TA453, and Yellow Garuda, is a threat actor linked to Iran that has been involved in various cyberattacks targeting entities in Brazil, Israel, and the U.A.E. using a new backdoor. This group has been implicated in sophisti	Unspecified	2

Source Document References

Information about the PowerLess Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
DARKReading	3 months ago	Disney, Nike, IBM Signatures Anchor 3M Fake Emails a Day
CERT-EU	10 months ago	The State of Ransomware in the U.S.: Report and Statistics 2023 \| #ransomware \| #cybercrime
DARKReading	4 months ago	4 Ways to Help a Security Culture Thrive
Malwarebytes	6 months ago	Desperate Taylor Swift fans defrauded by ticket scams \| Malwarebytes
CERT-EU	8 months ago	Banning ransomware payments back on the agenda \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	8 months ago	ScreenConnect flaws exploited to drop new ToddleShark malware
CERT-EU	8 months ago	Novel backdoor used in Charming Kitten attacks
DARKReading	8 months ago	Glupteba Botnet Adds UEFI Bootkit to Cyberattack Toolbox
CERT-EU	10 months ago	The Best 23 Data Security Platforms to Consider in 2024
CERT-EU	10 months ago	The State of Ransomware in the U.S.: Report and Statistics 2023
CERT-EU	10 months ago	Pro-China Propaganda, Espionage Tools, Green Illusion: 2023’s Best Investigative Stories from Southeast Asia
CERT-EU	a year ago	New Sponsor Malware Attacking Government & Healthcare Organizations
ESET	a year ago	Sponsor with batch-filed whiskers: Ballistic Bobcat’s scan and strike backdoor
BankInfoSecurity	a year ago	Iranian Hackers 'Ballistic Bobcat' Deploy New Backdoor
CERT-EU	a year ago	Charming Kitten's New Backdoor 'Sponsor' Targets Brazil, Israel, and U.A.E.
CERT-EU	a year ago	Charming Kitten's New Backdoor 'Sponsor' Targets Brazil, Israel, and U.A.E.
CERT-EU	a year ago	The Unique TTPs Attackers Use To Target APIs
CERT-EU	a year ago	Sex Education Season 4 to Scam 2003: The Telgi Story — The Biggest Web Series to Watch in September
CERT-EU	a year ago	What Is Next-Generation Antivirus (NGAV) and How Does It Work?
CERT-EU	a year ago	Stories from the SOC - Unveiling the stealthy tactics of Aukill malware - Cybersecurity Insiders