Hackers use new PowerShell backdoors in log4j attacks

According to observation , Considered Iran APT35 National support organizations （ also called “ Charming kitten ” or “ phosphorus ”） Part of the hackers take advantage of Log4Shell Attack to release new PowerShell back door .

Modular payloads can handle C2 signal communication 、 Perform system enumeration , And finally receive 、 Decrypt and load other modules .

Log4Shell It's right CVE-2021-44228 The use of , This is a 12 Disclosed in Apache Log4j A key Remote Code Execution Vulnerability in .

according to Check Point According to the researchers ,APT35 Exploit this vulnerability before the target has a chance to apply security updates , Scan vulnerable systems within days of their public disclosure .

Have been tracking these attempts Check Point Attribute the utilization activities to APT35, Because the threat actor's attack was hastily set up using the previously exposed infrastructure known to be used by the organization .

However , As part of their research , The analysts also found a new one called “CharmPower” Of PowerShell Something new in the form of a modular back door .

Modular back door for multitasking

Yes CVE-2021-44228 The utilization of will result in the operation with base64 Code loaded PowerShell command , Ultimately controlled by the participants Amazon S3 Get... From the bucket “CharmPower” modular .

The core module can perform the following main functions ：

• Verify network connection - After execution , The script uses parameters hi=hi towards google.com issue HTTP POST Request to wait for active Internet Connect .
• Basic system enumeration —— The script collects Windows Operating system version 、 Computer name and $APPDATA File in path Ni.txt The content of ; This file may be created and populated by different modules downloaded by the main module .
• retrieval C&C Domain —— Malware decoding from hard coding URL hxxps://s3[.]amazonaws[.]com/doclibrarysales/3 Retrieved C&C Domain , The URL Located on the same... Of the download back door S3 In the bucket .
• receive 、 Decrypt 、 Execute subsequent modules .

The core modules are constantly moving towards C2 send out HTTP POST request , These requests were either unanswered , Or receive one Base64 character string , This string starts downloading additional PowerShell or C# modular .

“CharmPower” Be responsible for decrypting and loading these modules , These modules are then linked to C2 Establish an independent communication channel .

The list of modules to be sent to the infected endpoint is based on CharmPower The basic system data retrieved in the reconnaissance phase is automatically generated .

C2 The additional modules sent are as follows ：

• Applications – Enumerate unload registry values and use “wmic” The command determines which applications are installed on the infected system .
• Screen capture - Capture screenshots according to the specified frequency and upload them to... Using hard coded credentials FTP The server .
• process – Use tasklist Command to get the running process .
• system information —— function “systeminfo” Command to collect system information . There are more commands , But it was annotated out .
• Command execution - have Invoke-Expression、cmd and PowerShell Option .
• clear - Remove all traces of modules left in the infected system , For example, registry and startup folder entries 、 Documents and processes . It's in APT35 The end of the attack is discarded .

Similarities with the old back door

Check Point  be aware “CharmPower” And APT35 Used in the past Android The similarities between spyware , It includes implementing the same logging function and using the same format and Syntax .

Besides , You can see in both samples C2 In communication “Stack=Overflow” Parameters , This is only in APT35 Unique elements seen in the tool .

These code similarities and infrastructure overlaps make Check Point Attribute the activity to APT35.

“CharmPower” It's an example , Explain how experienced participants can respond quickly CVE-2021-44228 And so on , And combine code from previously exposed tools , To create something powerful and effective that goes beyond the security and detection layers .