PowerCybereason Nocturnus researchers uncover a new PowerShell backdoor named PowerLess Backdoor used by Phosphorus (APT35) to espionage operations, featuring modular loaders and staged payloads including a keylogger and information stealer. The findings tie Phosphorus to broader activity around the Memento ransomware and highlight heavy reliance on open-source tools and public exploits such as ProxyShell and Log4j. #PowerLessBackdoor #Phosphorus #MementoRansomware
Keypoints
- Novel PowerShell backdoor PowerLess Backdoor discovered by Cybereason Nocturnus, capable of downloading additional payloads (keylogger, info stealer).
- PowerShell runs inside a .NET context to avoid spawning powershell.exe, aiding evasion from security products.
- Toolset is highly modular and multi-staged, decrypting and deploying payloads across several steps for stealth and effectiveness.
- Some IOCs remained active at the time of reporting, indicating a highly active infrastructure.
- Widespread use of open-source tools and libraries to weaponize payloads and encrypt C2 communications.
- Connections found between Phosphorus and Memento ransomware, including shared infrastructure and similar TTPs.
- Phosphorus historically used public exploits (ProxyShell, Log4j) and targeted a broad set of sectors, including research facilities and human rights groups.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – ProxyShell exploitation of Microsoft Exchange vulnerabilities enabled threat actors to deploy malware on targets’ networks. “Towards the end of 2021, multiple attacks were carried out exploiting the notorious Microsoft Exchange Server vulnerabilities chained together and referred to as ProxyShell, which ultimately enabled multiple threat actors to deploy malware on their targets’ networks.”
- [T1059.001] PowerShell – The PowerLess Backdoor is a novel PowerShell backdoor; “novel PowerShell backdoor dubbed PowerLess Backdoor.” and “The PowerLess backdoor is executed within a .NET context, so therefore it does not spawn ‘powershell.exe’.”
- [T1027] Obfuscated/Encrypted Files and Information – Dll.dll is a simple .NET AES decryptor that uses a hardcoded key “()*&3dCfabE2/123” to decode another file named “upc” to ultimately execute PowerShell code from the decrypted object. “Dll.dll is a simple .NET AES decryptor that uses a hardcoded key …”
- [T1140] Deobfuscate/Decode Files or Information – The upc encrypted BLOB is decrypted using dll.dll, and contains multiple encryption layers that all are decrypted in stages using base64 and AES ECB decryption.
- [T1105] Ingress Tool Transfer – PowerLess Backdoor supports downloading additional payloads (keylogger, info stealer) via its modular loader. “PowerLess Backdoor … supports downloading additional payloads, such as a keylogger and an info stealer.”
- [T1053.005] Scheduled Task – The loader creates a scheduled task for FRP (fast reverse proxy) deployment. “The loader creates a scheduled task for FRP, of course while being dependent on the OS type.”
- [T1573] Encrypted Channel – The PowerLess backdoor uses an encrypted channel with the C2. “Encrypted channel with the C2.”
- [T1555.003] Credentials from Web Browsers – The stealer module is a browser info stealer that collects browser data (Chrome/Edge) and stores logs for exfiltration. “a browser info stealer, which is also written in .NET, and includes the BouncyCastle crypto library. It also uses an SQLite data reader object for Chrome and Edge browser database files.”
Indicators of Compromise
- [IP Address] Pivot/C2 – 162.55.136.20, 148.251.71.182, and 91.214.124.143
- [Domain] C2 domain – google.onedriver-srv.ml
- [File] WindowsProcesses.exe – a 64-bit executable loader used to fetch and load dll.dll from %windir%Temp
- [File] dll.dll – .NET AES decryptor used to decrypt and load the “upc” payload
- [File] upc – decrypted payload containing multiple layers of encryption used to execute PowerShell code
- [File] Connector3.exe – FRP-related loader name seen in FRP tooling used by Phosphorus/Memento patterns
- [File] Chromium F.exe – .NET browser info stealer variant observed in the toolkit
- [File] Sou.exe – Audio recorder module using NAudio library