Threats Feed|Mint Sandstorm (Phosphorus)|Last Updated 05/08/2023|AuthorCertfa Radar|Publish Date01/02/2022

PowerLess Backdoor: Analyzing the Phosphorus Group's Cyber Espionage Tool

  • Actor Motivations: Espionage,Exfiltration
  • Attack Vectors: Vulnerability Exploitation,Backdoor,Keylogger,Malware,Trojan
  • Attack Complexity: High
  • Threat Risk: High Impact/High Probability

Threat Overview

Iranian APT group Phosphorus has developed a new PowerShell backdoor, dubbed PowerLess Backdoor, for espionage purposes. Cybereason researchers discovered the backdoor while investigating the group's exploitation of the ProxyShell vulnerability. The backdoor allows for downloading additional payloads, evasive PowerShell execution, and encrypted communication with the command and control server. Connections were also found between the Phosphorus group and the Memento Ransomware.

Extracted IOCs

  • google.onedriver-srv[.]ml
  • 35687692c7c64595f0315fd7e3bb5443
  • 5f815434c2d993f1ef3b42f57677501a
  • 68c1aa74fd77755a5e98be1b52ff4886
  • 8ef35bbb2319640c27cefab83ae4a7ff
  • 014e73d083df4a5816bd838d03a1b38e1438914154fe0bb7d988d05df0407b84
  • 3f9fb115afd2da19d3a231791dbe3c6f615c9908b7d12376ef8b097ebdfec6e9
  • a4c908859d78973a94581ea010b10b9a83d25cbafe0c0704dc67ff43c05f0040
  • ac9ed12685f0094de0897ff72b6c457ff4fb8f8750cf1fedccd59c8976eb4f24
  • 148[.]251.71.182
  • 162[.]55.136.20
  • 91[.]214.124.143

Tip: 12 related IOCs (3 IP, 1 domain, 0 URL, 0 email, 8 file hash) to this threat have been found.


APT35APT35's Exploitation of Microsoft Exchange: Targeting Europe, Middle East, and North America

Source: AttackIQ - August 2023

Detection (one case): 148[.]251.71.182

Cobalt MirageUnveiling the Actors behind COBALT MIRAGE: A Ransomware Incident Analysis

Source: Secureworks - September 2022

Detection (one case): 148[.]251.71.182

UnknownIranian Cyber Actors Target Western Nations in Ransom and Extortion Campaigns

Source: CISA - September 2022

Detection (one case): 148[.]251.71.182

PhosphorusStealth in the System: PHOSPHORUS Exploits Exchange Server in Infrastructure Sector Attack

Source: Deep Instinct - June 2022

Detection (two cases): 148[.]251.71.182, a4c908859d78973a94581ea010b10b9a83d25cbafe0c0704dc67ff43c05f0040

TunnelVisionTunnelVision Exploits 1-Day Vulnerabilities to Unleash Ransomware

Source: SentinelLabs - February 2022

Detection (one case): google.onedriver-srv[.]ml

APT35CharmPower: APT35's Modular Toolset Exploits Log4j Vulnerability

Source: Check Point - January 2022

Detection (one case): 148[.]251.71.182

UnknownIranian APT Group Exploits Microsoft and Fortinet Vulnerabilities: A Broad Spectrum Cyber Assault

Source: CISA - November 2021

Detection (one case): 91[.]214.124.143

Memento TeamMemento Team's Innovative Ransomware Strategy: Bypassing Encryption Detection

Source: Sophos - November 2021

Detection (one case): google.onedriver-srv[.]ml

PhosphorusIranian-backed PHOSPHORUS Exploits Microsoft Exchange Vulnerabilities for Data Encryption

Source: The DFIR Report - November 2021

Detection (one case): 148[.]251.71.182

PhosphorusAutomated Scripts Used in Microsoft Exchange ProxyShell Attack By PHOSPHORUS

Source: The Dfir Report - March 2021

Detection (one case): 148[.]251.71.182

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.