Last Updated on 14/01/2022 by Nidhi Khandelwal
An Iranian state-sponsored actor has been seen scanning Java apps for the Log4Shell weakness and attempting to exploit it to deploy a previously undocumented PowerShell-based modular backdoor called “CharmPower” for post-exploitation.
The attack was related to a group known as APT35, which is also known by the codenames Charming Kitten, Phosphorus, and TA453, according to the Israeli cybersecurity firm, which cited parallels with tool sets previously identified as being used by the threat actor.
4228 (CVSS score: 10.0), is a major security flaw in the popular Log4j logging library that, if exploited successfully, could allow remote execution of arbitrary code on infected systems.
The ease of exploitation, along with the widespread use of the Log4j library, has resulted in a large pool of targets, even as the flaw has drawn swarms of bad actors, who have used it to stage a dizzying diversity of attacks since it was made public last month.
While Microsoft previously noted APT35’s efforts to get and modify the Log4j exploit, new findings suggest that the hacker group has operationalized the bug to deploy a PowerShell implant capable of accessing next-stage modules and exfiltrating data to a command-and-control (C2) server.
CharmPower’s modules also include tools for gathering system information, listing installed applications, taking screenshots, enumerating running processes, executing commands supplied from the C2 server, and cleaning up any indicators of evidence left behind by these components.
Microsoft and the NHS have warned that internet-facing systems running VMware Horizon are being targeted for web shells and a ransomware strain known as NightSky, with the latter being linked to a China-based operator known as DEV-0401, which has previously deployed LockFile, AtomSilo, and Rook ransomware.