IRGC-Linked Hackers Package Modular Malware in Monolithic Trojan

A state-level Iranian APT is turning back the clock by consolidating its modular backdoor into a monolithic PowerShell Trojan.

Recently, TA453 (aka APT42, CharmingCypress, Mint Sandstorm, Phosphorus, Yellow Garuda), which overlaps broadly with Charming Kitten, executed a phishing attack against an Israeli rabbi. Masquerading as the research director of the Institute for the Study of War (ISW), the group engaged with the religious leader over email, inviting him to feature on a fake podcast.

At the end of its infection chain, TA453 delivered its victim the newest in its line of modular PowerShell backdoors. This time, though, unlike in prior campaigns, the group bundled its entire malware package into a single script.

"This is the first time I have personally seen malware that's been modular, in many different pieces, then consolidated into one piece," says Josh Miller, threat researcher at Proofpoint, which published a blog about the case on Tuesday.

Single PowerShell Trojan

Around a half decade ago, a major new trend spread among malware authors. Taking a page from legitimate software developers — who, at the time, were increasingly adopting microservices architectures in place of monolithic ones — bad guys began to design their malicious tools not as single files, but as frameworks with pluggable parts.

The flexibility of "modular" malware offered a variety of benefits. Hackers could now more easily fine tune the same malware for different targets by simply adding and dropping components ad hoc, even after an infection had already taken place.

"Modular malware is kind of neat, because I can start with just the core functionality," says Steven Adair, founder of Volexity. "Then once I've validated the target machine is actually real and not a researcher's sandbox system, I can push down additional tooling and functions."

Its newest backdoor, dubbed "AnvilEcho," is a successor to the group's previous espionage tools: GorjolEcho/PowerStar, TAMECURL, MischiefTut, and CharmPower. The difference: rather than parts sold separately, all of AnvilEcho's component parts come squished into a single PowerShell Trojan. Why?

"You could have a backdoor that has literally every feature under the sun, but sometimes that may raise the size of the malware download, and it may be better detected," Adair says. Besides taking up a smaller footprint, malware delivered in more disparate chunks can also confuse analysts who see only the trees, not the forest.

A Malware Toss-Up

On the other hand, monolithic malware is simpler to deploy. And in the course of its attack on the Israeli rabbi, TA453 compensated for any resultant lack of secrecy in all kinds of other ways along its attack path.

"In the past," Miller explains, "we've seen that after getting a response back from someone, TA453 just immediately sends an attachment which loads malware. Now they're sending a ZIP file that has an LNK inside of it, that then deploys all of these additional stages too. It seems almost unnecessarily complicated in some ways."

He adds that, this time, "It wasn't deployed until they'd already known that the target was engaging with them, and willing to click on links and download stuff from file sharing websites and enter passwords into files. I think they had confidence that the malware would be run when delivered."

Ultimately, when it comes to bundling versus separating malware components, "There's not necessarily a super pro or con to one or the other — both approaches work fine," Adair says.