These hackers are hitting victims with ransomware in an attempt to cover their tracks

LASER_oneXM

Level 37
Thread author
Verified
Top poster
Well-known
Feb 4, 2016
2,534
Cyber-espionage campaigns linked to the Iranian government are using new malware to secretly snoop around networks, and then drop malware to hide any trace of activity.

Iranian hackers are targeting a range of organisations around the world in campaigns that use previously unidentified malware to conduct cyber-espionage actions and steal data from victims – and in some cases, the state-backed attackers are also launching ransomware in a dual effort to embarrass victims and cover their tracks.

The two separate campaigns have been detailed by cybersecurity researchers at Cybereason, who've attributed the activity to an Iranian hacking group they track as Phosphorusalso known as APT35 and Charming Kitten – along with another Iranian-linked cyber operation, dubbed Moses Staff.
 

silversurfer

Level 84
Verified
Helper
Top poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
7,552
An Iranian state-backed hacking group tracked as APT35 (aka Phosphorus or Charming Kitten) is now deploying a new backdoor called PowerLess and developed using PowerShell.

The threat group also used the previously unknown malware to deploy additional modules, including info stealers and keyloggers, according to a report published today by the Cybereason Nocturnus Team.

The PowerLess backdoor features encrypted command-and-control communication channels, and it allows executing commands and killing running processes on compromised systems.

It also evades detection by running in the context of a .NET application which allows it to hide from security solutions by not launching a new PowerShell instance.

"The toolset analyzed includes extremely modular, multi-staged malware that decrypts and deploys additional payloads in several stages for the sake of both stealth and efficacy. At the time of writing this report, some of the IOCs remained active delivering new payloads," the Cybereason researchers said.