Iran-backed hacking group Phosphorous or APT35 is using the Log4j vulnerability to distribute a new modular PowerShell toolkit, according to security firm Check Point.
APT35 is one of several state-backed hacking groups known to have been developing tools to exploit public-facing Java applications that use vulnerable versions of the Log4j error-logging component.
Microsoft, which tracks the group as Phosphorous and has called it out for increasingly using ransomware in attacks, found it had operationalized a Log4j exploit for future campaigns less than a week after Log4Shell’s December 9 disclosure.
According to a further analysis by Check Point, APT35’s Log4j work was sloppy and “obviously rushed”, using a basic publicly available JNDI exploit kit (now removed from GitHub) for attacks that were easy to detect and attribute.
After exploiting Log4j on public-facing systems, the group uses what Check Point describes it as ‘a PowerShell-based modular backdoor’ for persistence, communication with a command and control (C&C) server, and command execution for additional modules.
The main module of the attacker’s PowerShell framework validates network connections, enumerates characteristics about a compromised system, retrieves the C&C domain from a hardcoded URL, and takes, decrypts and executes subsequent modules. After receiving information about compromised systems, the C&C server either issues no command or instructs the module to execute other modules that are written as PowerShell scripts or C# code.
Back and forth communication between target and C&C runs continuously to determine what subsequent modules should be submitted to the target, according to Check Point.
Each of the additional modules are responsible for encrypting data, exfiltration via the web or an FTP server, and sending execution logs to a remote server.
But each module has unique capabilities, such as one for listing installed applications, another for taking screenshots, and more for listing running processes, enumeration, and executing predefined commands from the C&C. A final “cleanup module” is dropped at the end of collection activity that removes evidence, such as running processes created by previously used modules.
“The modules sent by the C&C are executed by the main module, with each one reporting data back to the server separately,” explains Check Point.
“This C&C cycle continues indefinitely, which allows the threat actors to gather data on the infected machine, run arbitrary commands and possibly escalate their actions by performing a lateral movement or executing follow-up malware such as ransomware.”
On the quality of the group’s work, Check Point had few compliments because, unlike most advanced persistent threats, they don’t bother changing tools and infrastructure for new attacks and are known for making operational security (OpSec) blunders.
“The group is famous in the cybersecurity community for the number of OpSec mistakes in their previous operations, and they tend not to put too much effort into changing their infrastructure once exposed,” Check Point notes.
The firm says there are similar coding styles between the PowerShell scripts used for Log4Shell and the ones that the group used in Android spyware detailed by Google’s Threat Analysis Group in October.
Despite the US Cybersecurity and Infrastructure Security Agency’s (CISA) confirmation it had seen no major breaches arise from Log4j exploitation, Microsoft assesses the Log4Shell issue as a “high-risk” situation because it’s difficult for organizations to know which applications, devices and services are affected. CISA also warned that attackers that have exploited Log4j may be waiting for alert levels to drop before using new but undetected footholds in targets.