According to the Crowdstrike OverWatch team, the APT group is using a modified version of the Log4j exploit published on GitHub on December 13.
Threat actors used the exploit in their attacks for reconnaissance purposes.
In the attack against the unnamed academic institution, threat actors targeted a VMware Horizon Tomcat web server that was using the Log4j library.
The attackers were observed performing multiple connectivity checks via DNS lookups for a subdomain under
dns[.]1433[.]eu[.]org, running on the VMware Horizon instance.
The researchers explained that multiple threat actors utilize publicly accessible DNS logging services like dns[.]1433[.]eu[.]org to identify vulnerable servers when they connect back to the attacker-controlled DNS service.
The attackers executed multiple Linux commands on a Windows host on which the Apache Tomcat service was running, some of them with the intent to retrieve hacking tools from remote infrastructure.
“The threat actor then executed a series of Linux commands, including attempting to execute a bash-based interactive shell with a hardcoded IP address as well as curl and wget commands in order to retrieve threat actor tooling hosted on remote infrastructure.” reads the analysis published by CrowdStrike. “Our CrowdStrike Intelligence team later linked the infrastructure to the threat actor known as AQUATIC PANDA.”
AQUATIC PANDA conducted reconnaissance from the host, using native OS binaries, it also attempts to stop a third-party endpoint detection and response (EDR) service.
Then threat actor downloaded additional scripts and then executed a Base64-encoded command via PowerShell to retrieve malware and three files with VBS file extensions from remote infrastructure.
The files are a reverse shell, which was loaded into memory via DLL search-order hijacking
The APT group also made multiple attempts at credential harvesting by dumping the memory of the LSASS process using living-off-the-land binaries. The threat actor also leveraged winRAR to compress the memory dump for later exfiltration.
The good news is that the attack was spotted by the researchers and experts alerted the target organization that quickly addressed the vulnerable system.
“Throughout the intrusion, OverWatch tracked the threat actor’s activity closely in order to provide continuous updates to the victim organization. Based on the actionable intelligence provided by OverWatch, the victim organization was able to quickly implement their incident response protocol, eventually patching the vulnerable application and preventing further threat actor activity on the host.” concludes the report.
(SecurityAffairs – hacking, AQUATIC PANDA)