Powerless Backdoor

Malware Profile Updated 2 months ago
Download STIX
Preview STIX
The PowerLess Backdoor is a novel and previously undocumented malware linked to the Phosphorus group, an Iranian-aligned threat actor. This malicious software was discovered by the Cybereason Nocturnus Team in September 2021 when a victim received an updated version of the Ballistic Bobcat tools, which included this backdoor and its supporting toolset. The malware is installed via a compromised Windows version of a virtual private network (VPN) application, using PowerShell to enable file transfer and execution. This sophisticated backdoor has various capabilities that pose significant threats to the infected systems. It targets specific data on the system, logs keystrokes, captures screenshots, and can execute commands after decrypting multiple AES encrypted layers. The PowerLess Backdoor's unique feature is its ability to spawn powershell.exe, a command-line shell and scripting language designed for system administration and automation. Recently, a new Iranian-aligned threat actor named Educated Manticore has been found using new tactics and tools, including an updated version of the PowerLess Backdoor, targeting entities in Israel. This development highlights the continuous evolution and sophistication of cyber threats, emphasizing the need for robust cybersecurity measures to protect against such advanced persistent threats.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
PowerLess
5
Powerless is a malware that was deployed by Ballistic Bobcat in September 2021, as they were concluding the campaign documented in CISA Alert AA21-321A and the PowerLess campaign. The malware was introduced through a new backdoor, exploiting gaps left by traditional security measures which are often
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
PowerShell
Windows
Vpn
Iran
Malware
Exploit
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Ballistic BobcatUnspecified
1
Ballistic Bobcat, also known as APT35, APT42, Charming Kitten, TA453, and Phosphorus, is a threat actor group believed to be aligned with Iran. The group has been active for several years, developing and deploying a series of backdoor exploits known as Sponsor (versions v1 through v4). Ballistic Bob
PhosphorusUnspecified
1
Phosphorus, also known as APT35 or Charming Kitten, is a notorious Iranian cyberespionage group linked to the Islamic Revolutionary Guard Corps (IRGC). This threat actor has been involved in a series of malicious activities, employing novel tactics and tools. A significant discovery was made by the
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Powerless Backdoor Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
DARKReading
5 months ago
Iran-Backed Charming Kitten Stages Fake Webinar Platform to Ensnare Targets
MITRE
a year ago
PowerLess Trojan: Iranian APT Phosphorus Adds New PowerShell Backdoor for Espionage
CERT-EU
a year ago
Cyber security week in review: April 28, 2023
ESET
10 months ago
Sponsor with batch-filed whiskers: Ballistic Bobcat’s scan and strike backdoor
CERT-EU
10 months ago
Iranian hackers target orgs in Brazil, Israel, and OAE with new Sponsor backdoor