In a recent investigation, Check Point researchers connected a new wave of phishing assaults against Israel to the Iranian state-owned hacking outfit. The malware campaign’s goal was to spread PowerLess, an upgraded backdoor for Windows.
Under the guise of the fictitious business Educated Manticore, Check Point keeps track of the criminals’ information. According to the investigators, the gang exhibits “strong overlaps” in techniques and resources with the hacking collective APT35.
The researchers’ analysis of a series of assaults starts with a disk image file with the extension “.iso” that utilizes an Iraqi ruse as its filename. A malicious bootloader is spilled into memory after loading the picture and launching the executable file within, and this runs the PowerLess implant.
The decoy document, which is composed in Arabic, English, and Hebrew and aims to show educational material about Iraq from an official non-profit group called the Arab Science and Technology Foundation (ASTF), is displayed through the ISO file, suggesting that the research group may also have been the primary objective of this criminal campaign.
Israel’s Cybereason first identified the PowerLess backdoor in February 2022, and it has since been used to collect screenshots, record sound, track keystrokes, and steal data from applications and online browsers.
Additionally, the researchers claimed to have discovered two other archive files that were also utilized in the aforementioned assault chain. Additional investigation found that the infection chains that emerged from these archive files resulted in the execution of a PowerShell script made by downloading and using two additional harmful files from a remote server.
Check Point observed that the gang has improved its toolkits and attack strategies and that it is still evolving. In addition to other things, criminals have started utilizing the already widespread habit of using ISO photos to prevent detection.