An Iranian state-sponsored hacking group has been found to be actively exploiting vulnerabilities in Apache Log4j to distribute a new modular PowerShell toolkit.
Detailed by researchers at Check Point Software Technologies Ltd., the APT35 hacking group, also known as Phosphorous and Charming Kitten, was first detected exploiting Log4j only four days after the first vulnerability was disclosed. The attack setup is described as being rushed as they used a basic open-source JNDI exploit kit for the exploitation.
Having gained access to a vulnerable service, the Iranian hackers then included a new modular PowerShell-based framework that has been dubbed “CharmPower.” The script is used to establish persistence, gather information and execute commands.
CharmPower has four main initial modules. The first validates a network connection with the second gathering basic system enumeration such as Windows version, computer name and the content of various system files. The third module decodes the command and control domain retrieved from a hardcoded URL stored on an Amazon Web Services Inc. S3 bucket, while the final module receives, decrypts and executes follow-up modules.
Depending on the information gathered by the initial deployment, APT35 then deploys additional custom modules to facilitate data theft and to hide its presence on the infected machine.
APT35 is a well-known hacking group that most famously was linked to attacks targeting the Trump campaign, current and former U.S. government officials, journalists covering global politics and prominent Iranians living outside Iran, in 2020. The group also targeted the Munich Security Conference later the same year.
“The research tying Log4Shell exploitation to Iranian APT Charming Kitten coincides, and somewhat conflicts, with a statement made by the US Cybersecurity Infrastructure and Security Agency on Jan. 10 which suggested there had been no significant intrusions tied to the bug at that time,” Chris Morgan, senior cyber threat Intelligence analyst at digital risk solutions provider Digital Shadows Ltd told SiliconANGLE. “This likely emphasizes ongoing issues with incident disclosure and transparency, and the lag that can exist between threat actor activity and discovery.
John Bambenek, principal threat hunter at IT service management company Netenrich Inc. noted that “it’s unsurprising that second-tier nation-state actors would leverage the opportunity presented by the log4j vulnerability in a rushed fashion.”
“Any exploit of this severity would be latched upon by anyone looking to get a quick foothold and sometimes tactical windows open like this which means that you have to act quickly,” Bambenek added. “The bigger question is which intelligence agency was using this before the vulnerability was made public?”
The news that Iranian hackers were exploiting the Log4j vulnerabilities came as U.S. Cyber Command’s Cyber National Mission Force disclosed that it had identified multiple open-source tools that Iranian intelligence actors are using in networks around the world.
The disclosure related to an Iranian state-sponsored hacking group dubbed “MuddyWater.” The group has been linked to Iran’s Ministry of Intelligence and Security and primarily targets other nations in the Middle East and on occasion, countries in Europe and North America.