Network Security
Vulnerability Management
Privileged Access Management
Endpoint Security
Threat Hunting
Unified Endpoint Management
Email & Collaboration Security
Contents:
Cybersecurity researchers recently published an advisory on the evolution of POWERSTAR backdoor malware and advanced spear-phishing techniques used by Charming Kitten, a threat actor believed to be from Iran. The most recent version of POWERSTAR has improved operational security measures, making it more difficult to analyze and gather intelligence on this malware.
According to Volexity, the most recent POWERSTAR malware iteration has become more complex, indicating the presence of a customized server-side component that automates basic tasks for the malware operator.
New Characteristics
This latest version has several noteworthy features. These include using the InterPlanetary File System (IPFS) for its operations and hosting its decryption function and configuration details on publicly accessible cloud hosting platforms.
PowerStar variant adds new features such as the ability to remotely execute PowerShell and CSharp commands, establish persistence via various methods, dynamically update configurations, use multiple C2 channels, and conduct system reconnaissance and monitoring of existing persistence mechanisms.
New Tactics
It has been noted that Charming Kitten’s preference for cloud-hosting providers like OneDrive, AWS S3, and Dropbox has shifted in recent months. Instead, the organization has shifted to spreading malware via privately hosted infrastructure like Backblaze and IPFS.
The group may have made this decision because they realized that moving to privately hosted infrastructure would lower the probability that their tools would be discovered. Another reason could be that these new service providers are less likely to shut down their accounts and disrupt their infrastructure, explains Cyware.
This new version of the malware shows how Charming Kitten is always working to improve its strategies and remain undetected. It highlights the need for stringent cybersecurity measures to be implemented to counter these sophisticated threats. The Volexity-identified IOCs should be blocked using the YARA rules provided to protect against this risk.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and YouTube for more cybersecurity news and topics.
Madalina, a seasoned digital content creator at Heimdal®, blends her passion for cybersecurity with an 8-year background in PR & CSR consultancy. Skilled in making complex cyber topics accessible, she bridges the gap between cyber experts and the wider audience with finesse.
