State Hackers Use New PowerShell Backdoor in Log4j Attacks

Hackers believed to be part of the state-backed Iranian APT35 group (aka “Charming Kitten” or “Phosphorus”) have been observed taking advantage of Log4Shell attacks to suppress a new PowerShell backdoor.

The modular payload can handle C2 communications, perform system enumeration, and optionally receive, decrypt, and load additional modules.

Log4Shell is an exploit for CVE-2021-44228, a critical remote code execution vulnerability in Apache Log4j disclosed in December.

According to Check Point researchers, APT35 was among the first to exploit the vulnerability before targets had a chance to apply security updates, scanning for vulnerable systems just days after its public disclosure.

Check Point, which followed these attempts, attributes the exploitation activity to APT35 because the threat actor attacks were hastily implemented using previously exposed infrastructure known to be used by the group.

However, as part of their research, analysts also spotted something new in the form of a modular PowerShell backdoor named “CharmPower.”

A modular backdoor for multiple tasks

Exploitation of CVE-2021-44228 results in the execution of a PowerShell command with a base64 encoded payload, optionally retrieving the “CharmPower” module from an Amazon S3 bucket controlled by an actor.

This basic module can perform the following main functions:

• Validate the network connection – When running, the script waits for an active Internet connection by making HTTP POST requests to google.com with the parameter hi = hi.
• Basic system enumeration – The script collects the version of the Windows operating system, the computer name and the contents of a Ni.txt file in the path $ APPDATA; the file is probably created and populated by different modules which will be downloaded by the main module.
• Recover the C&C domain – The malware decodes the C&C domain recovered from a hard-coded url hxxps: // s3[.]amazonaws[.]com / doclibrarysales / 3 located in the same S3 bucket the backdoor was downloaded from.
• Receive, decrypt and execute tracking modules.

The main module continues to send HTTP POST requests to C2 that go unanswered or receive a Base64 string that initiates the download of an additional PowerShell or C # module.

‘CharmPower’ is responsible for decrypting and loading these modules, and these then establish an independent communication channel with the C2.

The list of modules to send to the infected endpoint is automatically generated based on the basic system data collected by CharmPower during the discovery phase.

The additional modules sent by the C2 are as follows:

• Applications – Lists the uninstallation registry values ​​and uses the “wmic” command to determine which applications are installed on the infected system.
• Screenshot – Captures screenshots at a specified frequency and uploads them to an FTP server using hard-coded credentials.
• To treat – Enter current processes using the tasklist command.
• System information – Execute the “systeminfo” command to collect system information. Has many more commands but are commented out.
• Order execution – Remote command execution module including Invoke-Expression, cmd and PowerShell options.
• To clean – Module to remove all traces left in compromised system like entries, files and processes from registry and startup folder. It was abandoned at the very end of the APT35 attacks.

Similarities to the old backdoors

Checkpoint noticed similarities between “CharmPower” and Android spyware used by APT35 in the past, including the implementation of the same logging functions and the use of the same format and syntax.

In addition, the “Stack = Overflow” parameter in C2 communications is visible on both samples, which is a unique element only visible in APT35 tools.

These code similarities and infrastructure overlaps allowed Check Point to assign the campaign to APT35.

“CharmPower” is an example of how quickly sophisticated actors can respond to emerging vulnerabilities such as CVE-2021-44228 and assemble code from previously exposed tools to create something powerful and efficient that can go beyond the layers of security and detection.