TAMECAT: The Sophisticated PowerShell Backdoor Targeting Browser Credentials
A new cyber threat named TAMECAT has surfaced, posing significant risks to enterprise security by targeting login credentials stored in Microsoft Edge and Chrome browsers. This advanced PowerShell-based malware is linked to APT42, an Iranian state-sponsored cyber-espionage group known for its focus on high-ranking defense and government officials globally.
Infection Process and Social Engineering Tactics
TAMECAT’s infection strategy is multifaceted, beginning with social engineering techniques. Attackers impersonate trusted contacts on platforms like WhatsApp, sending victims malicious links that exploit the search-ms URI protocol handler. Upon activation, the malware downloads a VBScript designed to detect antivirus software on the target system, allowing it to tailor its execution path accordingly.
Modular Architecture and Command-and-Control Channels
The malware’s modular design enables it to perform a variety of functions, including credential theft, data exfiltration, and maintaining persistent access to compromised systems. It utilizes multiple command-and-control (C2) channels, such as Telegram bots, Discord, Firebase, and Cloudflare Workers infrastructure, to communicate with its operators. This versatility allows TAMECAT to download additional PowerShell scripts and execute remote commands, enhancing its surveillance capabilities.
Persistence Mechanisms and Data Exfiltration
To establish persistence, TAMECAT employs several techniques. It uses WebDAV servers to deliver malicious LNK files disguised as PDF documents. When executed, these files initiate processes that create logon scripts and registry run keys, ensuring the malware remains active on the system. Communication with its C2 infrastructure is conducted through encrypted channels, utilizing AES encryption with predefined keys to secure the transmission of stolen data. This layered obfuscation makes detection by traditional security tools more challenging.
Credential Extraction Techniques
TAMECAT employs sophisticated methods to extract login credentials from browsers. For Microsoft Edge, it leverages the browser’s remote debugging feature to access data while the application is running. In the case of Chrome, the malware temporarily suspends the browser process to gain unrestricted access to stored credential databases. This dual approach ensures the successful harvesting of sensitive authentication information, regardless of the victim’s browser preference.
In-Memory Operations and Data Exfiltration Strategy
The credential extraction module operates entirely in memory, leaving minimal forensic traces on the infected system. After collecting credentials, TAMECAT uses its Download Module and a specialized DLL component called Runs.dll to divide the stolen data into smaller segments before exfiltration. This segmentation helps the malware evade network monitoring tools that might detect large data transfers. The exfiltration process employs multiple channels simultaneously, including FTP and HTTPS protocols, providing redundancy if one communication path is blocked or monitored.
Implications and Recommendations
The emergence of TAMECAT underscores the evolving sophistication of cyber threats targeting sensitive information. Organizations are advised to implement robust security measures, including regular software updates, employee training on recognizing social engineering tactics, and deploying advanced endpoint protection solutions capable of detecting fileless malware and PowerShell-based attacks. Monitoring for unusual network activity and employing multi-factor authentication can further enhance defense against such threats.
