Last Updated on 03/02/2022 by Nidhi Khandelwal
To ensure persistence, the PowerShell installer modifies the Windows Registry and drops a.LNK file into Windows’ starting directory. This unlawful alteration causes the malware to be loaded from an encrypted payload concealed behind a “smokescreen” of 100 to 300 garbage files built particularly for this purpose, according to the researchers.
Furthermore, the linked junk file’s unique and random file extension is used to build a custom file type key, which is then used to run a PowerShell command from the Registry to execute the malware during system startup.
The backdoor, on the other hand, is constantly growing, with a variety of features that allow it to steal data from web browsers, facilitate bitcoin theft, and run arbitrary instructions and scripts.
The threat actor, who has been active since at least 2017, has been behind a number of attacks in recent years, including ones in which the adversary pretended to be journalists or academics in order to trick targets into installing malware and collecting confidential material.
Check Point Research revealed details of an espionage operation earlier this month, in which a hacking squad used the Log4J Shell vulnerabilities to build a modular backdoor known as CharmPower for follow-on attacks.
According to Cybereason, the latest additions to its arsenal form a completely new toolset that includes the PowerLess Backdoor, which is capable of downloading and running other modules like a browser info-stealer and a keylogger.
A number of other malicious artifacts, including an audio recorder, an earlier edition of the information stealer, and what the researchers assume is an unfinished ransomware variant programmed in.NET, are also potentially tied to the same backdoor coder.