A New PowerShell Backdoor Is Being Used in Log4j Attacks
State-Backed Hackers Are Apparently Leveraging Log4Shell Attacks to Drop a New PowerShell Backdoor.
Last updated on January 12, 2022
At the end of 2021 proof-of-concept exploits for a significant zero-day vulnerability discovered in the widely used Apache Log4j Java-based logging library were distributed online, exposing both home users and businesses to continuous remote code execution assaults.
The vulnerability, officially tagged as CVE-2021-44228 and called Log4Shell or LogJam, is an unauthenticated RCE vulnerability that allows total system takeover on systems running Log4j 2.0-beta9 through 2.14.1.
As reported by BleepingComputer, the hackers involved in the attack are suspected of being members of the Iranian APT35 state-backed organization (also known as ‘Charming Kitten‘ or ‘Phosphorus’) and have been seen using Log4Shell assaults to install a new PowerShell backdoor.
The modular payload is capable of handling C2 communications, system enumeration, and ultimately receiving, decrypting, and loading other modules.
APT35 was among the first malicious actor to exploit the vulnerability before targets had a chance to apply security fixes, searching for vulnerable PCs just days after it was made public.
Exploiting CVE-2021-44228 causes a PowerShell command with a base64-encoded payload to be executed, finally retrieving the ‘CharmPower’ module from an actor-controlled Amazon S3 bucket. The core module is able to perform a number of functions, as it can validate network connection, create basic system enumeration, retrieve the C&C domain, and receive, decrypt, and execute follow-up modules.
The core module continues to send HTTP POST requests to the C2, which either go unanswered or result in the download of an extra PowerShell or C# module.
‘CharmPower’ is in charge of decrypting and loading these modules, which then create an independent communication channel with the C2.
CharmPower automatically generates a list of modules to be distributed to the infected endpoint based on the fundamental system details gathered during the reconnaissance phase. Applications, Screenshot, Process, System information, Command Execution, and Cleanup are the additional modules sent by the C2.
Check Point researchers also discovered a number of parallels between ‘CharmPower’ and an Android malware previously employed by APT35, such as the implementation of the same logging functionalities and the usage of an identical format and syntax.
How Can Heimdal™ Help?
Threat prevention is essential to your company’s cybersecurity, as it is an effective way to add multiple layers of proactive protection. As cyber attackers become more cunning, so should the solutions we use to stop them. This is where Heimdal™ comes in.
Heimdal™ is always updated and keeps pace with the latest cybersecurity trends, a quality that perfectly illustrates its products too. Our awarded Threat Prevention Endpoint solution uses Machine Learning, cybercrime intelligence, and artificial intelligence capabilities to help you prevent future threats with 96 % accuracy on your endpoints, a very efficient threat hunting solution that makes malicious URLs, processes, and attacker’s origins no longer anonymous.
Dora is a digital marketing specialist within Heimdal™ Security. She is a content creator at heart - always curious about technology and passionate about finding out everything there is to know about cybersecurity.