Research by CheckPoint presents a new and improved infection chain leading to the deployment of a new version of a Windows backdoor called PowerLess. Credit: ChakisAtelier / Getty Images / Clker-Free-Vector-Images Iranian state-sponsored threat actor Educated Manticore has been observed deploying an updated version of PowerLess, a Windows backdoor, to target Israel for phishing attacks, according to a new report by Check Point.Researchers have also linked Educated Maticore hackers to the Phosphorus APT group, which operates in the Middle East and North America.“The research presents a new and improved infection chain leading to the deployment of a new version of PowerLess. This implant was attributed to Phosphorus in the past,” Check Point said in its research. Phosphorus has been active since at least 2017. It has been linked to a series of campaigns in recent years, especially those wherein APT members posed as journalists and scholars to trick targets into installing malware and stealing classified information. While the PowerLess payload was similar to that deployed by Phosphorus, researchers said there have been improved toolsets used as loading methods.Educated Manticore uses .Net executablesEducated Manticore in its latest attacks was seen using .Net executables, a rarely used technique. “The actor has significantly improved its toolset, utilizing rarely seen techniques, most prominently using .Net executables constructed as Mixed Mode Assembly – a mixture of .Net and native C++ code. It improves tools’ functionality and makes the analysis of the tools to be more difficult,” Check Point said in its report.The hacking group has also started using ISO images. The ISO images used by the threat actor are in English, Arabic, and Hebrew, with academic content about Iraq. Researchers said this suggests, “the targets might have been academic researchers.”The attack chain uses Iraq-themed luresThe attack chain begins with an ISO image file that makes use of Iraq-themed lures to load a custom in-memory downloader. The ISO file claims that the academic information is from a nonprofit organization called the Arab Science and Technology Foundation. The ultimate function of the downloader is to install the PowerLess payload. “PowerLess communication to the server is Base64-encoded and encrypted after obtaining a key from the server. To mislead researchers, the threat actor actively adds three random letters at the beginning of the encoded blob,” Check Point said in its report.The use of the PowerLess payload by Phosphorus was highlighted by Cybereason in February 2022. The PowerLess payload has the capability to steal data from web browsers and apps like Telegram, take screenshots, record audio, and log keystrokes. Expect more post-infection activityResearchers have warned that the updated version of the malware can lead to more post-infection activities.“Because it is an updated version of previously reported malware, PowerLess, associated with some of Phosphorus’ Ransomware operations, it is important to note that it might only represent the early stages of infection, with significant fractions of post-infection activity yet to be seen in the wild,” Check Point said.Educated Manticore continues to evolve, refining previously observed toolsets and delivering mechanisms, Check Point said. “The actor is seen adopting popular trends to avoid detection and keeps developing custom toolsets using advanced techniques,” Check Point said in its report. Related content news Bug in EmbedAI can allow poisoned data to sneak into your LLMs The vulnerability can be used to deceive a user into inadvertently uploading and integrating incorrect data into the application’s language model. By Shweta Sharma May 31, 2024 3 mins Generative AI Vulnerabilities news OpenAI accuses Russia, China, Iran, and Israel of misusing its GenAI tools for covert Ops OpenAI’s generative AI tools were used to create and post propaganda content on various geo-political and socio-economic issues across social media platforms, the company said. By Gyana Swain May 31, 2024 4 mins Generative AI news Okta alerts customers against new credential-stuffing attacks Hackers are using credential-stuffing to attack endpoints that are used to support the cross-origin authentication feature. By Shweta Sharma May 31, 2024 4 mins Identity and Access Management Vulnerabilities feature 3 reasons users can’t stop making security mistakes — unless you address them Understanding what’s behind employee security mistakes can help CISOs make meaningful adjustments to their security awareness training strategies. By Ariella Brown May 31, 2024 5 mins Data Breach Risk Management PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe