Iran-linked APT35 group exploits Log4Shell flaw to deploy a new PowerShell backdoor

Iran-linked APT35 group has been observed leveraging the Log4Shell flaw to drop a new PowerShell backdoor.

Iran-linked APT35 cyberespionege group (aka ‘Charming Kitten‘ or ‘Phosphorus‘) has been observed leveraging the Log4Shell flaw to drop a new PowerShell backdoor, Check Point researchers states.

The experts also details the use of a modular PowerShell-based framework dubbed CharmPower, that allows attackers to establish persistence, gather information, and execute commands.

APT35 group started attempting to leverage the Log4j flaw in publicly facing systems only four days after the public disclosure of the vulnerability.

The nation-state group used one of the publicly available open-source JNDI Exploit Kits to exploit the Log4Shell vulnerability. The kit used by the attackers was then removed from GitHub due to its popularity following the alert of its abuses.

To exploit the flaw, the attackers send a crafted request to the target’s publicly facing resource, then a malicious Java class is retrieved from the attacker’s server and executed on a vulnerable machine. The class runs a PowerShell command with a base64-encoded payload that handles communications with C2, and eventually receives and executes additional payloads.

The main module performs the following operations:

• Validate network connection – Upon execution, the script waits for an active internet connection by making HTTP POST requests to google.com with the parameter hi=hi.
• Basic system enumeration – The script collects the Windows OS version, computer name, and the contents of a file Ni.txt in $APPDATA path; the file is presumably created and filled by different modules that will be downloaded by the main module.
• Retrieve C&C domain – The malware decodes the C&C domain retrieved from a hardcoded URL hxxps://s3[.]amazonaws[.]com/doclibrarysales/3 located in the same S3 bucket from where the backdoor was downloaded.
• Receive, decrypt, and execute follow-up modules.

One data gathering is completed, the malware starts communication with the C&C server by periodically sending HTTP POST requests to the following URL on the received domain:

<C&C domain>/Api/Session.

The C&C server in turn can respond by sending a NoComm (No command, which causes the script to keep sending POST requests), or with a Base64 string which is the module to execute.

The modules downloaded by the main component are either PowerShell scripts, or C# code.

Every module is auto-generated by the threat actors based on the data gathered during the reconnaissance phase and sent by the main module. Each of the modules contains a hardcoded machine name and a hardcoded C&C domain.

The additional modules sent by the C2 are the following:

• Applications
• Screenshot
• Process
• System information
• Command Execution
• Cleanup

Check Point researchers discovered code similarities between ‘CharmPower’ and an Android spyware used by cyberespionage group.

“Every time there is a new published critical vulnerability, the entire InfoSec community holds its breath until its worst fears come true: scenarios of real-world exploitation, especially by state-sponsored actors. As we showed in this article, the wait incase of Log4j vulnerability was only a few days. The combination of its simplicity, and the widespread number of vulnerable devices, made this a very attractive vulnerability for actors such as APT35.” concludes the report.

“In these attacks, the actors still used the same or similar infrastructure as in many of their previous attacks. However, judging by their ability to take advantage of the Log4j vulnerability and by the code pieces of the CharmPower backdoor, the actors are able to change gears rapidly and actively develop different implementations for each stage of their attacks.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Log4Shell)

[adrotate banner=”5″]

[adrotate banner=”13″]