Iranian hackers deploy PowerShell backdoor by using Log4j flaw

State-sponsored threat actors attempt to abuse the Log4Shel flaw

Log4Shell flaw exploited by another hacker group

The vulnerability in the publicly-exposed java applications got exploited to release the hitherto undocumented PowerShell-based backdoor. The modular trojan named CharmPower can follow up the exploitation with other activities and malicious processes.^[1] Hackers known as the Charming Kitten group leveraged the Log4Shell attacks to drop the malware payload that can handle c2 communications, perform enumeration of the system and receive, decrypt, load other payloads.^[2]

It appears that the setup of this campaign was somewhat rushed because the basic open-source tool got used for the exploitation. The fact that the campaign was based on previous operations made the attack easier to detect and attribute for the researchers.^[3] The APT35 hacker group is widely known and can be identified as infrastructure using particular toolsets in most of their attacks.

The particular Log4Shell vulnerability that these threat actors exploited have caused major issues all over the world. The CVE flaw with the severity rate of 10.0 still haunts organizations and users in 2022.^[4] The issue allows exploitation to lead to particular code execution on affected systems.

PowerShell modular backdoor CharmPower

The APT35 group used variously exposed operations known to be attributed to the group, but the modular backdoor revealed some new features. The particular malware is able to perform various tasks on the exploited machine. The trojan can validate the network connection after the execution and make HTTP POST requests to google.com.

The script collects Windows version details, computer name, contents of files. The malware is capable of basic system enumeration and can retrieve the C&C domain. Malware decodes the retrieved domain and can receive, decrypt, execute other modules on the already affected machine.

These additional modules that can be sent from the C2 server can:

• uninstall applications, gather data about installed apps;
• capture screenshots;
• collect information about running processes;
• execute commands remotely;
• clear traces of the malware like startup files, processes.

Iranian state-backed hackers not stopping

Check Point revealed a list of similarities between this and other attacks involving the same hacker group. Particular features were indicated between the Android spyware and CharmPower. The logging functions and other implementations in code overlap with other campaigns of APT35, aka CharmingKitten. This is the reason why researchers can determine the threat actor responsible for the attacks.

APT actors make sure to change their tools and infrastructure to avoid being detected and make attribution more difficult. APT35, however, does not conform to this behavior.

Recently Iranian hackers made headlines because US Cyber Command linked the MuddyWater to the Iranian intelligence group.^[5] The group is a threat actor team that carried out attacks targeting Middle Eastern nations, European, North American nations. There always have been suspicions that the group is state-backed.

The group is known for attacks directed against various entities in academia, governments, cryptocurrency, telecommunications, oil sectors. It is believed that hackers started their attacks in 2017. Threat actors also exploit vulnerabilities and leverage remote desktop management tools to spread backdoors, custom malware that leads to unauthorized access to particularly sensitive and valuable data.

Hackers start with the attacks, and then information can get stolen from exploited systems. Exploiting vulnerabilities also help to exfiltrate data for further extortion and deploy ransomware that itself is a threat of cryptocurrency extortion.