Warning: Charming Kitten’s PowerStar Malware advances with sophisticated techniques

0
133

In a concerning development in the world of cybersecurity, Charming Kitten, a threat actor believed to be operating from Iran, has recently upgraded its PowerStar backdoor malware. This upgrade comes hand-in-hand with the deployment of highly sophisticated spear-phishing techniques that have raised alarms among cybersecurity experts.

Cybersecurity firm Volexity released an advisory on Wednesday, shedding light on these evolving threats. According to the advisory, the latest version of PowerStar exhibits enhanced operational security measures, making it significantly more challenging for analysts and intelligence gatherers to dissect and understand.

One notable feature of this malware is the decoupling of its decryption method from the initial code, never writing it to disk. Volexity’s Ankur Saini and Charlie Gardner explained that this tactic not only reduces the risk of exposing the malware to analysis but also serves as an operational guardrail, preventing future decryption of the payload.

Additionally, the updated PowerStar relies on the InterPlanetary File System (IPFS) and publicly accessible cloud hosting for its decryption function and configuration details. Charming Kitten has shifted its preference from previously used cloud-hosting providers like OneDrive, AWS S3, and Dropbox to privately hosted infrastructure such as Backblaze and IPFS.

Experts speculate that this shift may be due to a perception that these alternative providers are less likely to take action against Charming Kitten’s accounts and infrastructure, reducing the risk of exposure.

The latest iteration of PowerStar boasts a range of capabilities, including remote execution of PowerShell and CSharp commands, persistence through various methods, dynamic configuration updates, multiple command-and-control (C2) channels, system reconnaissance, and monitoring of established persistence mechanisms.

Volexity’s report underscores Charming Kitten’s continuous efforts to refine its techniques and evade detection. It serves as a stark reminder of the critical importance of robust cybersecurity measures in countering such sophisticated threats.

Despite these advancements, Charming Kitten’s core tactics, as well as the purpose of the POWERSTAR malware, remain largely unchanged, indicating the group’s success in avoiding the need for significant operational modifications.

To protect against this evolving threat, Volexity recommends the use of provided YARA rules for detecting related activity, blocking the provided indicators of compromise (IOCs), and considering blocking the list of IPFS providers if organizations do not require their use, as these providers can be exploited by malware authors to host malicious files.

This report follows Zscaler’s revelation of threat actors targeting IPFS infrastructure a few months ago, further underscoring the importance of vigilance in the ever-changing landscape of cybersecurity.

Warning: Advanced Cyber Threat – Charming Kitten’s PowerStar Malware

Cybersecurity experts have issued a warning about the evolving threat posed by Charming Kitten’s PowerStar malware. This threat actor, believed to be operating from Iran, has upgraded its malware to include sophisticated spear-phishing techniques and enhanced operational security measures.

The latest version of PowerStar is designed to evade detection and presents a substantial risk to organizations. It is crucial to implement robust cybersecurity measures and stay vigilant to protect against this evolving threat.

Advisory:

Protecting Your Organization Against Charming Kitten’s PowerStar Malware

To protect your organization from the evolving threat posed by Charming Kitten’s PowerStar malware, follow these recommendations:

  • Utilize the provided YARA rules to detect related activity associated with PowerStar.
  • Block the indicators of compromise (IOCs) provided in the advisory to prevent infiltration.
  • Consider blocking the list of IPFS providers if your organization does not require their use, as these providers can be exploited by malware authors to host malicious files.

Stay vigilant and implement robust cybersecurity measures to safeguard your organization against this advanced cyber threat.

Author profile

Carlo Juancho FuntanillaFrontend Developer, WordPress, Shopify
Contributing Editor
AMA ACLC San Pablo