Threats Feed|Charming Kitten|Last Updated 17/01/2024|AuthorCertfa Radar|Publish Date28/06/2023

Decoding Charming Kitten's POWERSTAR Deployment in Recent Cyber Attack

  • Actor Motivations: Espionage,Exfiltration
  • Attack Vectors: Backdoor,Spear Phishing
  • Attack Complexity: Medium
  • Threat Risk: High Impact/High Probability

Threat Overview

The Iranian cyber-espionage group, Charming Kitten, targeted an individual who published an article about Iran. The attackers impersonated a reporter and carried out a series of seemingly benign interactions before sending a malicious RAR file containing the POWERSTAR backdoor. The backdoor, once executed, collects system information and communicates with a command-and-control server via encrypted channels. The attackers employ several modules for system reconnaissance, establishing persistence, and cleaning up forensic evidence. Notably, they leveraged the InterPlanetary File System (IPFS) as a fallback mechanism for command-and-control communication.

Detected Targets

RegionUnited States
RegionMiddle East Countries

Extracted IOCs

  • fuschia-rhinestone.cleverapps[.]io
  • openlibrary.ignorelist[.]com
  • 5398e9063ee0d6189cf59c8d4403a40d
  • 99dc6ab3f88629069b5109f5ed530e25
  • a2b407eac00422b2bc7ac59a74fc47e0
  • e4e8864f88724b736ec3568fd8916796
  • f5eddfaeb353ceca4b8713f88f030604
  • 0161ba63e65a2b39b754b9d16cf2bc62de98e99a
  • 214bf21a567b678ec4250c1aca4cf71275e2860e
  • 2581e9bf9fa219cb1bce393f7492212612228221
  • 5671ff66d0ea0cd93b04ca0ab35ff4e33e33833a
  • 9777f106ac62829cd3cfdbc156100fe892cfc4038f4c29a076e623dc40a60872
  • 977cf5cc1d0c61b7364edcf397e5c67d910fac628c6c9a41cf9c73b3720ce67f
  • 991620817274d4031889134d40294cc6e086cf56e738a8ea78c49860c6dccdce
  • hxxp://[.]com/sa/88w3x81en/cettj34c.txt
  • hxxps://[.]com/k41we/btw74c.txt
  • hxxps://[.]com/share/us-china.pdf
  • hxxps://[.]com
  • hxxps://[.]com/bluebox10546/k41we/bts74e.txt
  • hxxps://[.]com/bluebox10546/k41we/k24510.txt

Tip: 23 related IOCs (0 IP, 5 domain, 6 URL, 0 email, 12 file hash) to this threat have been found.


TA453TA453 Campaign Deploys Novel PowerShell Backdoor and Mac-Specific Malware

Source: Proofpoint - July 2023

Detection (one case): fuschia-rhinestone.cleverapps[.]io

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.