PowerLess

Malware Profile Updated a month ago
Download STIX
Preview STIX
Powerless is a malware that was deployed by Ballistic Bobcat in September 2021, as they were concluding the campaign documented in CISA Alert AA21-321A and the PowerLess campaign. The malware was introduced through a new backdoor, exploiting gaps left by traditional security measures which are often incapable of dealing with such sophisticated threats. Ballistic Bobcat also utilized the Command & Control (C&C) infrastructure from the PowerLess campaign, in addition to introducing a new C&C server. This allowed for the delivery of the next generation of Ballistic Bobcat tools, including the PowerLess backdoor and its supporting toolset. The PowerLess malware proved particularly challenging to combat due to its unique characteristics. The URLs used for downloading additional stages were dynamically generated, making it difficult to predict or block them. Furthermore, the hash of the initial payload fetched from the C2 was always unique, rendering standard blocklisting methods ineffective. Other phishing attacks launched by Charming Kitten distributed the PowerLess and NOKNOK backdoors, demonstrating the widespread impact of this malicious software. Despite improvements in law enforcement capabilities, agencies struggled to respond swiftly enough to the PowerLess threat. They were also hindered by uncooperative states like Russia, highlighting the international challenges in combating cybercrime. Traditional means were powerless against the PowerLess malware, leading to unconventional approaches such as litigation from Google against Glupteba, another malware that had grown significantly large. Overall, the PowerLess malware represents a significant and evolving threat in the cybersecurity landscape.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Powerless Backdoor
5
The PowerLess Backdoor is a novel and previously undocumented malware linked to the Phosphorus group, an Iranian-aligned threat actor. This malicious software was discovered by the Cybereason Nocturnus Team in September 2021 when a victim received an updated version of the Ballistic Bobcat tools, wh
Noknok
1
NokNok is a malicious software (malware) developed by the Iranian hacking group APT35, also known as Charming Kitten. It was discovered after the group targeted a US-based nuclear security expert with a sophisticated phishing attack. The attackers initiated several non-threatening email interactions
Sponsor Backdoor
1
The Sponsor backdoor is a malicious software (malware) designed and coded by Ballistic Bobcat. This malware obfuscates data before sending it to the Command & Control (C&C) server, employing innocuous configuration files and a modular approach to evade scans. The Sponsor backdoor, a version of Power
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Payload
Backdoor
Ransomware
Implant
Malware
Phishing
Loader
Exploit
State Sponso...
Espionage
Scam
Police
Government
PowerShell
Encryption
Exploits
Ics
iranian
Telegram
Iran
Cybereason
Meta
Sentinelone
Apt
Trojan
Downloader
Zero Day
Vulnerability
Windows
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
PhosphorusUnspecified
6
Phosphorus, also known as APT35 or Charming Kitten, is a notorious Iranian cyberespionage group linked to the Islamic Revolutionary Guard Corps (IRGC). This threat actor has been involved in a series of malicious activities, employing novel tactics and tools. A significant discovery was made by the
Ballistic BobcatUnspecified
3
Ballistic Bobcat, also known as APT35, APT42, Charming Kitten, TA453, and Phosphorus, is a threat actor group believed to be aligned with Iran. The group has been active for several years, developing and deploying a series of backdoor exploits known as Sponsor (versions v1 through v4). Ballistic Bob
Charming KittenUnspecified
2
Charming Kitten, an Iranian Advanced Persistent Threat (APT) group, also known as ITG18, Phosphorous, and TA453, is a significant cybersecurity threat. This threat actor has been associated with numerous malicious activities, exhibiting advanced and sophisticated social-engineering efforts. The grou
APT35Unspecified
1
APT35, also known as the Newscaster Team, Charming Kitten, and Mint Sandstorm, is an Iranian government-sponsored cyber espionage group. The group focuses on long-term, resource-intensive operations to collect strategic intelligence. They primarily target sectors in the U.S., Western Europe, and the
Mint SandstormUnspecified
1
Mint Sandstorm, an Iranian nation-state threat actor also known as APT35 and Charming Kitten, has been identified by Microsoft as a significant cybersecurity concern. The group is linked to Iran's Islamic Revolutionary Guard Corps and is known for its sophisticated cyber campaigns targeting high-val
TA453Unspecified
1
TA453, also known as Charming Kitten, APT35, Phosphorus, and Ballistic Bobcat, is a threat actor attributed to the Iranian government. This group has been involved in numerous cyber espionage campaigns against various entities worldwide, with notable incidents involving an attack on a close affiliat
COBALT ILLUSIONUnspecified
1
Cobalt Illusion, also known as Mint Sandstorm, APT42, and TA453 among other names, is a threat actor known for its sophisticated social engineering campaigns. This group is associated with the Islamic Revolutionary Guard Corps and is recognized for conducting surveillance and espionage activities ag
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2021-26855Unspecified
1
CVE-2021-26855 is a significant software vulnerability, specifically a zero-day server-side request forgery (SSRF) flaw, found in Microsoft Exchange 2013, 2016, and 2019. This vulnerability was exploited by attackers to gain initial access to email servers and drop an ASPX webshell, leveraging the t
Source Document References
Information about the PowerLess Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
DARKReading
a month ago
4 Ways to Help a Security Culture Thrive
Malwarebytes
2 months ago
Desperate Taylor Swift fans defrauded by ticket scams | Malwarebytes
CERT-EU
4 months ago
Banning ransomware payments back on the agenda | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
CERT-EU
4 months ago
ScreenConnect flaws exploited to drop new ToddleShark malware
CERT-EU
5 months ago
Novel backdoor used in Charming Kitten attacks
DARKReading
5 months ago
Glupteba Botnet Adds UEFI Bootkit to Cyberattack Toolbox
CERT-EU
6 months ago
The Best 23 Data Security Platforms to Consider in 2024
CERT-EU
6 months ago
The State of Ransomware in the U.S.: Report and Statistics 2023
CERT-EU
7 months ago
Pro-China Propaganda, Espionage Tools, Green Illusion: 2023’s Best Investigative Stories from Southeast Asia
CERT-EU
10 months ago
New Sponsor Malware Attacking Government & Healthcare Organizations
ESET
10 months ago
Sponsor with batch-filed whiskers: Ballistic Bobcat’s scan and strike backdoor
BankInfoSecurity
10 months ago
Iranian Hackers 'Ballistic Bobcat' Deploy New Backdoor
CERT-EU
10 months ago
Charming Kitten's New Backdoor 'Sponsor' Targets Brazil, Israel, and U.A.E.
CERT-EU
10 months ago
Charming Kitten's New Backdoor 'Sponsor' Targets Brazil, Israel, and U.A.E.
CERT-EU
10 months ago
The Unique TTPs Attackers Use To Target APIs
CERT-EU
10 months ago
Sex Education Season 4 to Scam 2003: The Telgi Story — The Biggest Web Series to Watch in September
CERT-EU
a year ago
What Is Next-Generation Antivirus (NGAV) and How Does It Work?
CERT-EU
a year ago
Stories from the SOC - Unveiling the stealthy tactics of Aukill malware - Cybersecurity Insiders
CERT-EU
a year ago
The West Wants Nigeria to Invade Its Northern Neighbor - Global Research
CERT-EU
a year ago
Beware the prophets of p(doom), but don’t ignore them