An Iranian state-level APT turns back the clock by consolidating its modular backdoor into a monolithic PowerShell Trojan.

Recently TA453 (also known as APT42, CharmingCypress, Mint Sandstorm, Phosphorus, Yellow Garuda) was added, which largely overlaps with Charming catlaunched a phishing attack on an Israeli rabbi. Posing as the research director of the Institute for the Study of War (ISW), the group engaged the religious leader via email, inviting him to participate in a fake podcast.

At the end of the infection chain, TA453 delivered its victim the latest in its line of modular PowerShell backdoors. This time, however, unlike previous campaigns, the group bundled its entire malware package into a single script.

“This is the first time I’ve ever seen malware that was built modularly, with many different parts, and then stitched together into one,” said Josh Miller, a threat researcher at Proofpoint, which published a blog about the case on Tuesday.

Single PowerShell Trojan

About half a decade agoa major new trend that spread among malware authors. Taking a cue from legitimate software developers — who at the time were increasingly using microservices architectures instead of monolithic ones — bad actors began designing their malicious tools not as separate files, but as frameworks with pluggable components.

The flexibility of “modular” malware offered a range of benefits. Hackers could now more easily fine-tune the same malware for different purposes by simply adding and removing components ad hoc, even after an infection had already taken place.

“Modular malware is pretty cool because I can start with just the core functionality,” says Steven Adair, founder of Volexity. “Once I validate that the target machine is real and not some researcher’s sandbox system, I can push additional tooling and features.”

The latest backdoor, dubbed “AnvilEcho,” is a successor to the group’s previous spy tools: GorjolEcho/PowerStar, TAMECURL, MischiefTut, and CharmPower. The difference: instead of separate components, all of AnvilEcho’s components are compressed into a single PowerShell Trojan. Why?

“You could have a backdoor that literally has every feature under the sun, but sometimes that can increase the size of the malware download and make it more detectable,” Adair said. In addition to having a smaller footprint, malware delivered in more diverse pieces can also confuse analysts who can only see the trees and not the forest.

A malware call

On the other hand, monolithic malware is easier to implement. And in the attack on the Israeli rabbi, TA453 compensated for any resulting lack of secrecy in various other ways along the attack path.

“In the past,” Miller explains, “we’ve seen TA453 immediately send an attachment after someone comments that loads malware. Now they’re sending a ZIP file with a LNK in it, which then implements all these additional steps as well. It almost seems unnecessarily complicated in some ways.”

He adds that this time, “it wasn’t deployed until they already knew the target was engaged with them and was willing to click on links and download things from file-sharing sites and enter passwords into files. I think they were confident that the malware would execute when it was delivered.”

When it comes to bundling or separating malware components, “there’s not necessarily a super advantage or disadvantage to one approach or the other. Both approaches work just fine,” Adair says.