Researchers are warning of a number of attacks launched by Iran-linked threat actor APT35, which have exploited the well-known Log4j vulnerability in order to deploy modular, PowerShell-based malware.
Like many other threat actors, APT35 began launching widespread scanning and exploitation attempts against the Log4j flaw (CVE-2021-44228) in publicly facing systems just four days after it was disclosed in December. As part of these attacks, the actors used a previously unobserved PowerShell-based framework, which researchers with Check Point Research called CharmPower, in order to establish persistence, gather data and execute commands.
“In these attacks, the actors still used the same or similar infrastructure as in many of their previous attacks,” said researchers with Check Point Research in a Tuesday analysis. “However, judging by their ability to take advantage of the Log4j vulnerability and by the code pieces of the CharmPower backdoor, the actors are able to change gears rapidly and actively develop different implementations for each stage of their attacks.”
Researchers said they saw exploitation attempts on more than 150 organizations, though they could not say how many of those were successful.
The targets are consistent with the previous activities of the actor," said Alexandra Gofman, Threat Intelligence Analysis team leader at Check Point Research. "There are several specific Israeli targets from the government sector. Many other exploitation attempts fall on transport, communications, education and research sectors.
Initially, APT35's attacks appeared rushed, utilizing publicly-available open-source JNDI Exploit Kits for exploitation and basing their operations on previous infrastructure. This made the attacks easier to detect and attribute, said researchers. However, shortly after these attacks started, researchers found a subgroup of APT35 launching a large-scale campaign that targeted Israeli networks, which used their own implementation of the exploit to combine attack stages for both Windows and Linux.
As part of attacks, APTs sent a crafted request to victims’ publicly facing resources, though researchers did not specify what vulnerable products were targeted. Then, the exploitation server returned a malicious Java class to be executed on vulnerable machines, which ran a PowerShell command with a payload. Eventually, the payload downloaded and executed a PowerShell module from an Amazon S3 bucket URL. Beyond communication with the command-and-control (C2) server, this main module had several functionalities, including validating the network connection, collecting the Windows OS version and computer name, and also executing additional modules.
The additional modules all contained the ability to encrypt and exfiltrate data (via a POST request or by uploading it to an FTP server) and send execution logs to a remote server. In addition, the modules had varying unique tasks, including listing installed applications and running processes on the target system, taking screenshots, executing predefined commands from the C2 server and cleaning up any traces left behind from other modules.
“The modules sent by the C&C are executed by the main module, with each one reporting data back to the server separately,” said researchers. “This C&C cycle continues indefinitely, which allows the threat actors to gather data on the infected machine, run arbitrary commands and possibly escalate their actions by performing a lateral movement or executing follow-up malware such as ransomware.”
APT35, which is tied to the Iranian government, has previously been linked to attacks targeting the private emails of politicians, journalists and senior personnel in medical institutions and research facilities in the United States and Israel. The group has launched both credential phishing attacks and utilized malware to steal sensitive data from victims.
Researchers noted that APT35 is famous for the number of OpSec mistakes in their previous operations. Because the actors do not tend to change up their infrastructure once it has been exposed, researchers were able to note a number of code and infrastructure overlaps between these recent Log4j flaw exploitation attempts and previous APT35 activities. For instance, the logging function implementations, the logging format and the syntax of the logging messages of the PowerShell modules were identical to those used in previous APT35 campaigns. For infrastructure, researchers noted similar API endpoints between the PowerShell malware’s C2 and those used in previous APT35 Android mobile malware samples.
“The activity we observed is consistent with the actor's TTP, although with the speed they have acquired log4j exploits it’s clear they are constantly working to improve the ways to achieve their goals.” Gofman said. “For some activities where the end goal seems to gather intelligence, the CharmPower backdoor has been installed - previously this activity was carried out using spear-phishing.”