Charming Kitten, a threat actor believed to operate from Iran, has been found to be evolving its PowerStar backdoor malware alongside sophisticated spear-phishing techniques.
Cybersecurity firm Volexity discussed the findings in an advisory published on Wednesday, where it said the new version of PowerStar revealed improved operational security measures, making it more challenging to analyze and gather intelligence.
“Charming Kitten sought to limit the risk of exposing their malware to analysis and detection by delivering the decryption method separately from the initial code and never writing it to disk,” explained Volexity researchers Ankur Saini and Charlie Gardner.
“This has the added bonus of acting as an operational guardrail, as decoupling the decryption method from its command-and-control (C2) server prevents future successful decryption of the corresponding POWERSTAR payload.”
Read more on Charming Kitten: The 9 Lives of the Charming Kitten Nation-State Attacker
The updated malware relies on the InterPlanetary File System (IPFS) and publicly accessible cloud hosting for its decryption function and configuration details.
At the same time, Charming Kitten has been observed moving away from its previous cloud-hosting preferences (OneDrive, AWS S3, Dropbox) and opting for privately hosted infrastructure (Backblaze and IPFS).
“It is possible that the group regards this as less likely to lead to their tools being exposed or that these other providers are less likely to act against their accounts and infrastructure,” Saini and Gardner explained.
The latest version of PowerStar offers remote execution of PowerShell and CSharp commands, persistence through various methods, dynamic configuration updates, multiple C2 channels, system reconnaissance and monitoring of established persistence mechanisms.
According to Volexity, the updated malware highlights Charming Kitten’s ongoing efforts to refine its techniques and evade detection, emphasizing the need for robust cybersecurity measures to counter sophisticated threats.
“The general phishing playbook used by Charming Kitten and the overall purpose of POWERSTAR remain consistent,” reads the advisory. “This suggests that Charming Kitten is successful enough not to warrant modifying these aspects of their operations.”
To protect against this threat, Volexity recommended using the provided YARA rules to detect related activity, blocking the IOCs provided, and considering blocking this list of IPFS providers if organizations do not require their use, as they can be exploited by malware authors to host malicious files.
The Volexity report comes a few months after Zscaler highlighted a newly found targeting of IPFS infrastructure by threat actors.