Iranian 'Educated Manticore' Hackers Target IsraelIranian Threat Actor Deploys Improved PowerLess Backdoor
Iranian hackers are deploying an updated backdoor apparently targeting Israeli academic researchers with an interest in Iraq.
Researchers at Check Point Security said a group they have dubbed "Educated Manticore" is sending the Iraq-themed bait in order to coax users into initiating a new and improved infection chain that ends with deployment of an implant known as PowerLess.
Other researchers have tied PowerLess to an Iranian actor known as Phosphorus, also tracked as Charming Kitten and APT35. The group has a history of targeting academics who specialize in the fundamentalist Shiite theocracy.
The Phosphorus designation comes from Microsoft, which this month shifted to a new threat group naming convention. The computing giant now calls the group Mint Sandstorm (see: Iranian State Hacker Aggression Escalates, Says Microsoft).
Check Point says clusters of Iranian hacking activity have become difficult to untangle. The PowerLess-wielding hackers spotted by Check Point in these findings have strong overlap with Mint Sandstorm. But, "we have no sufficient knowledge to place the activities around the PowerLess backdoor" in the complex puzzle of Iranian threat actors, company researchers wrote. As a result, they decided to give the activity its own name.
The group's loading mechanisms and techniques are improvements over previous PowerLess deployments. Prominent among those advances is the use of ".NET executables constructed as Mixed Mode Assembly - a mixture of .NET and native C++ code," Check Point researchers wrote. Mixed-mode software is harder to reverse-engineer than pure code.
The infection chain begins when Educated Manticore installs an initial loader and payload downloader a folders. The lure is an ISO file named
Iraq development resources.iso as well as the documents within the file.
The loader is stored as
zoom.jpg within the ISO file. The initial loader is disguised as an empty folder, in a bid to have victims click on it without noticing the
.exe extension. The final payload is a new version of the PowerLess payload -with more than double the number of commands.
The new features include showing a list of installed programs, processes and files; stealing user data from the Telegram desktop app; and taking screenshots. This PowerLess payload can also download extra modules, including a keylogger, an info stealer and a sound recorder.