A new wave of phishing attacks aimed at deploying an updated version of a backdoor called PowerLess has been linked to an Iranian nation-state threat actor by cybersecurity firm Check Point. The activity has been tracked under the name “Educated Manticore,” which overlaps with a number of hacking groups including APT35, Charming Kitten, and Cobalt Illusion.
APT35 has been active since at least 2011 and targets a wide range of victims through social media personas, spear-phishing, and N-day vulnerabilities. The phishing campaign is initiated by ISO images and other archive files that display decoy documents, purportedly academic content from a legitimate non-profit entity called the Arab Science and Technology Foundation (ASTF), to attract researchers.
Furthermore, the PowerLess backdoor is able to steal data from web browsers and apps, such as Telegram, and log keystrokes, among other things. The malware is continuously refined by the adversary to expand functionality and evade detection, as evidenced by the updated loading mechanisms which Check Point notes “rarely” appear in the wild.
At the same time, the communication between PowerLess and the command-and-control server is encrypted after obtaining a key from the server, and researchers have observed the threat actor adding three random letters at the beginning of the encoded blob to mislead them.
This latest campaign is indicative of the increasing sophistication of nation-state cyberattacks, particularly by Iranian threat actors, who continue to leverage novel techniques and tools to conduct espionage and theft of valuable information. The use of archive files to initiate infection chains and decoy documents is a common tactic among nation-state threat actors, but the increased complexity of loading mechanisms and encryption techniques used by Educated Manticore indicates a desire to stay ahead of detection efforts.
The identification of APT35 and other Iranian threat actors has significant implications for international relations, particularly between Israel and Iran, and highlights the need for enhanced cybersecurity measures to prevent and mitigate such attacks.
