# PowerLess Trojan: Iranian APT Phosphorus Adds New PowerShell Backdoor for Espionage **[cybereason.com/blog/powerless-trojan-iranian-apt-phosphorus-adds-new-powershell-backdoor-for-espionage](https://www.cybereason.com/blog/powerless-trojan-iranian-apt-phosphorus-adds-new-powershell-backdoor-for-espionage)** February 1, 2022 | 8 minute read [Over the past months, the Cybereason Nocturnus Team observed an uptick in the activity](https://www.cybereason.com/blog/authors/cybereason-nocturnus) of the Iranian attributed group dubbed Phosphorus (AKA Charming Kitten, APT35), [known for previously attacking medical research organizations in the US and Israel in late](https://threatpost.com/charming-kitten-pounces-on-researchers/165129/) [2020, and for targeting academic researchers from the US, France, and the Middle East](https://www.clearskysec.com/wp-content/uploads/2019/09/The-Kittens-Are-Back-in-Town-Charming-Kitten-Sep-2019.pdf) region back in 2019. [They have also previously targeted human rights activists, the media sector, and](https://www.clearskysec.com/wp-content/uploads/2019/10/The-Kittens-Are-Back-in-Town-2-1.pdf) interfered with the US presidential elections. Towards the end of 2021, multiple attacks were carried out exploiting the notorious [Microsoft Exchange Server vulnerabilities chained together and referred to as ProxyShell,](https://www.cybereason.com/blog/threat-alert-microsoft-exchange-proxyshell-exploits-and-lockfile-ransomware) which ultimately enabled multiple threat actors to deploy malware on their targets’ [networks. There have been several reports detailing the exploitation of these](https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/) vulnerabilities by Iranian state sponsored threat actors, among them the Phosphorus APT group carrying out ransomware attacks. Cybereason researchers recently discovered a new set of tools which were developed by the Phosphorus group and incorporated into their arsenal, including a novel PowerShell backdoor dubbed PowerLess Backdoor. Our research also highlights a stealthy technique used by the group to avoid PowerShell detection by running the PowerShell Backdoor in a .NET context rather than spawning the PowerShell process. ----- In addition, several interesting connections were found between the Phosphorus group [and the Memento Ransomware that first emerged in late 2021. (Related Iranian APT](https://news.sophos.com/en-us/2021/11/18/new-ransomware-actor-uses-password-protected-archives-to-bypass-encryption-protection/) research: StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operations). ## Key Findings **Novel PowerShell Backdoor: A novel and previously undocumented PowerShell** backdoor related to the Phosphorus group was discovered by the Cybereason Nocturnus Team and dubbed PowerLess Backdoor. It supports downloading additional payloads, such as a keylogger and an info stealer. **Evasive PowerShell Execution: The PowerShell code runs in the context of a** .NET application, thus not launching “powershell.exe” which enables it to evade security products. **Modular Malware: The toolset analyzed includes extremely modular, multi-** staged malware that decrypts and deploys additional payloads in several stages for the sake of both stealth and efficacy. **Highly Active Infrastructure: At the time of writing this report, some of the** IOCs remained active delivering new payloads. **Wide Range of Open Source Tools: A lot of the activity observed involved a** variety of publicly available tools, such as cryptography libraries, weaponizing them for payloads and communication encryption. **Shared IOCs with Memento Ransomware: One of the IP addresses serves a** domain which is being used as command and control (C2) for the recently [discovered Memento Ransomware.](https://www.sophos.com/en-us/press-office/press-releases/2021/11/sophos-discovers-new-memento-ransomware.aspx) **Phosphorus Threat Group: The Phosphorus Threat Group was previously** spotted attacking research facilities in multiple regions such as the US, Europe and the Middle East. The group is known to be behind multiple cyber espionage and offensive cyber attacks, operating in the interest of the Iranian regime, leveraging cyberwarfare in accordance with Iran’s geopolitical interests. **Use of Publicly Available Exploits: The Phosphorus Group was first seen** [exploiting the ProxyShell vulnerability, and later on the Log4j vulnerability as well,](https://www.cybereason.com/blog/cybereason-releases-vaccine-to-prevent-exploitation-of-apache-log4shell-vulnerability-cve-2021-44228) utilizing fresh exploits in the wild. ## A Glimpse into Phosphorus Updated Arsenal Following up on both public and non-public intelligence that is available to Cybereason in regard to the Phosphorus threat actor, the Cybereason Nocturnus Team was able to identify a new toolset that includes a novel backdoor, malware loaders, a browser info stealer, and a keylogger. ----- It is worth noting that some of the more recent methods that were observed in attacks attributed to the Phosphorus group included open-source tools such as the famous [DiskCryptor library and also BitLocker, along with the Fast Reverse Proxy which is used](https://github.com/DavidXanatos/DiskCryptor) for RDP proxying. The following sections will detail the discovery process and analysis of the newly identified tools. ### Pivoting from a Previously Known Arsenal The journey to the discovery of the new toolset started with threat intelligence efforts that included pivoting on an IP address (162.55.136[.]20) that was already attributed to [Iranian threat actors by multiple sources, including US CERT.](https://www.cisa.gov/uscert/ncas/alerts/aa21-321a) While examining different files that were downloaded from this IP address, we stumbled [upon a file named “WindowsProcesses.exe”:](https://www.virustotal.com/gui/file/a4c908859d78973a94581ea010b10b9a83d25cbafe0c0704dc67ff43c05f0040) _WindowsProcesses.exe hosted on the abovementioned IP_ The file seems to have only been detected by 35/68 antivirus vendors, according to VirusTotal: _WindowsProcesses.exe details as seen in VirusTotal_ **Analysis of WindowsProcesses exe** ----- This file, entitled “WindowsProcesses.exe” is a 64-bit executable loader whose sole purpose is to resolve relevant DLLs and load another file from the “%windir%\Temp” path entitled “dll.dll”: _WindowsProcesses and related modules execution diagram_ Once the relevant DLLs (mostly related to .NET runtime libraries) and API calls are resolved, dll.dll is executed: _The main code of WindowsProcesses.exe_ ----- By the looks of it, the authors could have been inspired by a code snippet found publicly [available on GitHub, which facilitates running PowerShell with CLR in native runtime.](https://gist.github.com/farzinenddo/bb1f1ecb56aa9326abc7b47fc99e588e) The snippet is named “Powerless”, and the authors seem to have kept that naming convention, as shown in the PDB path of the binary: _C:\\Users\\pugna\\Desktop\\126\\V1\\PowerLessCLR\\x64\\Release\\PowerLessCLR.pdb_ Analysis of dll.dll Dll.dll is a simple .NET AES decryptor that uses a hardcoded key “()*&3dCfabE2/123” to decode another file named “upc” to ultimately execute PowerShell code from the decrypted object: _The code of dll.dll_ upc The upc encrypted BLOB is decrypted using dll.dll, and contains multiple encryption layers that all are decrypted in stages using base64 and AES ECB decryption. The keys that are being used for decryption are as follows: ()*&3dCfabE2/123 0123654789mkiujn 25sL(*14@#SDFcgd Prior to decrypting the PowerShell backdoor, an intermediate stage takes place when the victim’s machine is assigned a unique identifier which is sent to the C2, which downloads an additional configuration: ----- _The intermediate stage during the PowerLess backdoor decryption_ Analysis of the PowerLess Backdoor After all the AES encrypted layers are decrypted, the PowerLess backdoor is executed: _PowerLess backdoor command parsing code segment_ The PowerLess backdoor is equipped with the following capabilities: Downloading and executing additional malware and files Additional modules: [Browsers info stealer](https://www.virustotal.com/gui/file/ac9ed12685f0094de0897ff72b6c457ff4fb8f8750cf1fedccd59c8976eb4f24) [Keylogger module](https://www.virustotal.com/gui/file/3f9fb115afd2da19d3a231791dbe3c6f615c9908b7d12376ef8b097ebdfec6e9) Encrypted channel with the C2 Executing arbitrary commands Killing processes ----- Stealing browser data Keylogging It is worth mentioning that the backdoor is being run within a .NET context, so therefore it does not spawn “powershell.exe”. This behavior can be interpreted as an attempt to evade certain PowerShell detections, although PowerShell logs are being saved on the machine: _Windows Processes and the malicious loaded module “dll.dll” as seen in the Cybereason_ _XDR Platform_ Oddly enough, there is a part of the code in the PowerLess Backdoor, that do spawn a powershell.exe process, when the request to kill a process is received from the C2: _A part of the PowerLess Backdoor that spawns powershell.exe_ It can be assumed that the native language of the backdoor’s authors is likely not English given the abundance of typos and grammatical mistakes found in the code: ----- _PowerLess backdoor logging_ _Keylogger_ One of the modules downloaded by the PowerLess backdoor is a keylogger that is written in .NET. It’s core functionality is quite simple, consisting of hooks and the logging of the user’s keystrokes: ----- _Partial code from the keylogger module_ The logs are being stored in the following path: "C:\\Windows\\Temp\\Report.06E17A5A-7325-4325-8E5D-E172EBA7FC5BK": _Logs path of the keylogger module_ _Stealer_ Another module is a browser info stealer, which is also written in .NET, and includes the [BouncyCastle crypto library. It also uses an SQLite data reader object for Chrome and](https://www.bouncycastle.org/) Edge browser database files. In the staging phase, the data is encrypted and written in JSON format for exfiltration: ----- _Partial code from the info stealer module_ The logs are being stored in the following path: “C:\\Windows\\Temp\\cup.tmp”: _Logs path of the stealer module_ **Additional Tools Potentially Related to Phosphorus** In addition to the newly discovered PowerLess Backdoor, other tools were identified by the Nocturnus Team which are suspected to originate from the same developer. However, at this point in time there isn't enough evidence to conclusively tie these tools to Phosphorus with a high level of confidence. Looking at the PE info of “WindowsProcesses.exe”, the below PDB path is present: “C:\Users\pugna\Desktop\126\V1\PowerLessCLR\x64\Release\PowerLessCLR.pdb”: _The PDB path from WindowsProcesses.exe_ Searching for the prefix “C:\Users\pugna” returns other unidentified tools: _Artifacts found in VirusTotal with the search “C:\Users\pugna”_ _Chromium F_ ----- “Chromium F.exe” is yet another .NET browser info stealer. Although the code is different, by the functionality it is similar to the abovementioned info stealer module, leading us to assess that it might be an earlier variant: _Code segment from Chromium F.exe_ _Sou.exe - Audio Recorder_ [“Sou.exe” is another .NET file, but this time it’s an audio recorder which uses the NAudio](https://github.com/naudio/NAudio) open source library: _Code segment from Sou.exe_ _A New Locker in the Making?_ ----- One of the more recent tools that was allegedly from the same developer is what appears [to be an unfinished Ransomware variant. It is also written in .NET and at this point](https://www.virustotal.com/gui/file/014e73d083df4a5816bd838d03a1b38e1438914154fe0bb7d988d05df0407b84) doesn’t do anything except locking the target’s screen. As can be seen, the fields like the ransom amount and attacker’s email are yet to be set. Although unfinished, it is worth mentioning that the sample was uploaded from Iran via web, and it might imply yet another step in the direction of this threat actor towards ransomware: _Unfinished ransomware sample uploaded to VirusTotal from Iran_ _The unfinished ransomware locker screen_ Analysis of FRP Loaders _Java Multi Platform Loader_ [One of the more active IPs that was reported in the ProxyShell attacks was](https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/) [148.251.71[.]182. In addition, another recent report mentions this IP address as part of an](https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/) [active exploitation of the Log4j vulnerability:](https://www.dynatrace.com/news/blog/what-is-log4shell/) ----- _Files found on the IP address 148.251.71[.]182_ The “symantec” and “update” themed files all serve the FRP again. The “RCE” links, on the other hand, serve a Java loader that distinguishes the victim machine’s operating system and drops the appropriate version of FRP: _The Java RCE class_ There are two slightly different variations of the loader, but eventually they check for the file separator of the OS, which is “/” in case it’s Linux or “\” in Windows, and then downloads the payload and creates persistence: _Content of the malicious Java class_ _Powershell to Exe Downloader_ ----- Another loader which eventually delivers FRP is PowerShell code converted to an [executable by the “Ps1 To Exe” freeware that is available for download on public forums,](https://m.majorgeeks.com/files/details/ps1_to_exe.html) where less technical people can successfully use it: _Information about one of the FRP loaders_ Finally, the loader creates a scheduled task for FRP, of course while being dependent on the OS type. A full process tree of a real time attack that exploits the ProxyShell vulnerability and deployment of the FRP modules, can be seen below: _A real time FRP staging and execution as seen in the Cybereason XDR Platform_ ----- Once the attackers exploited the vulnerable Microsoft Exchange Server, they downloaded the FRP module, ran multiple reconnaissance commands, created persistence, dumped [credentials using a known LOLBIN technique (Comsvcs.dll), and attempted to move](https://lolbas-project.github.io/lolbas/Libraries/comsvcs/) laterally, as can be seen in the above Cybereason XDR Platform image. ## The Memento Ransomware Connection Another IP that appears in US CERT’s list is 91.214.124[.]143. Searching it in VirusTotal reveals other malicious files communicating with it, as well as unique URL directory patterns that reveal a potential connection to Memento Ransomware: The string “gsdhdDdfgA5sS” appears to be generated by the same script as the one [listed in the Memento Ransomware IOCs: “gadfTs55sghsSSS”.](https://github.com/sophoslabs/IoCs/blob/master/ransomware_memento.csv) The domain “google.onedriver-srv[.]ml” was previously resolved to the IP address [91.214.124[.]143 mentioned in the US CERT alert about Iran state sponsored actors](https://www.cisa.gov/uscert/ncas/alerts/aa21-321a) activity: _Some of the Memento IOCs that are suspected to be related to Phosphorus_ The “Connector3.exe” naming convention: as mentioned above, Phosphorus has been observed using the FRP tool in many occasions. The file name that is used for FRP and reported by the US CERT is “Connector3.exe”. As can be seen below, the same name is being used to name a backdoor by Memento: _FRP named “Connector3.exe” from US CERT report_ ----- The activity of Phosphorus with regard to ProxyShell took place in about the same time frame as Memento. Iranian threat actors were also reported to be turning to ransomware during that period, which strengthens the hypothesis that Memento is operated by an Iranian threat actor. ## Conclusion In this report, the Cybereason Nocturnus Team detailed a previously undocumented PowerShell backdoor dubbed PowerLess, used by the Iranian APT Phosphorus in recent attacks. This research also provided further details regarding the group’s tools and techniques, including the use of publicly available tools and a combination of coding languages. The extensive usage of open source tools that is assessed to demonstrate the intermediate coding skills of the attackers. The use of various programming languages also might point to a lack of specialization in any specific coding language. This research also highlights how important it is for threat intelligence analysts to “follow the breadcrumbs,” such as pivoting on known infrastructure or the PDB paths left by the attackers in this case, in order to pave the way for discovering additional tools and connections to other operations. Finally, a connection between Phosphorus and the Memento ransomware was also found through mutual TTP patterns and attack infrastructure, strengthening the connection between this previously unattributed ransomware and the Phosphorus group. [The Cybereason XDR Platform detects and blocks the PowerLess Trojan and other](https://www.cybereason.com/platform/xdr) advanced TTPs used in this operation. Cybereason is dedicated to teaming with defenders to end attacks on the endpoint, across enterprise, to everywhere the battle is taking place. ## MITRE ATT&CK BREAKDOWN **Reconnaissance** **Execution** **Persistence** **Defense Evasion** Gather Victim Host Information Gather Victim [Identity](https://attack.mitre.org/techniques/T1589/) Information Command and Scripting Interpreter: PowerShell Exploitation for Client Execution Boot or Logon Autostart [Execution: Registry Run](https://attack.mitre.org/techniques/T1547/001/) Keys / Startup Folder Scheduled Task/Job: At (Windows) [Masquerading](https://attack.mitre.org/techniques/T1036/) Impair Defenses: [Disable or Modify](https://attack.mitre.org/techniques/T1562/004/) System Firewall ----- Scheduled [Task/Job: At](https://attack.mitre.org/techniques/T1053/002/) (Windows) Scheduled [Task/Job: At](https://attack.mitre.org/techniques/T1053/001/) (Linux) Scheduled Task/Job: At (Linux) Server Software Component: Web Shell [Modify Registry](https://attack.mitre.org/techniques/T1112/) **Discovery** **Collection** **Command and Control** **Credential** **Access** Account Discovery: Local Account Archive Collected Data [Audio Capture](https://attack.mitre.org/techniques/T1123/) Application Layer Protocol: Web Protocols Data Encoding: Standard Encoding OS Credential Dumping Input Capture: Keylogging Encrypted Channel: Symmetric Cryptography [Proxy](https://attack.mitre.org/techniques/T1090/) ## About the Researcher: DANIEL FRANK Daniel Frank is a senior Malware Researcher at Cybereason. Prior to Cybereason, Frank was a Malware Researcher in F5 Networks and RSA Security. His core roles as a Malware Researcher include researching emerging threats, reverseengineering malware and developing security-driven code. Frank has a BSc degree in information systems. About the Author ----- **Cybereason Nocturnus** The Cybereason Nocturnus Team has brought the world’s brightest minds from the military, government intelligence, and enterprise security to uncover emerging threats across the globe. They specialize in analyzing new attack methodologies, reverseengineering malware, and exposing unknown system vulnerabilities. The Cybereason Nocturnus Team was the first to release a vaccination for the 2017 NotPetya and Bad Rabbit cyberattacks. [All Posts by Cybereason Nocturnus](https://www.cybereason.com/blog/authors/cybereason-nocturnus) -----