An Iranian state-sponsored hacking group has been found to be actively exploiting vulnerabilities in Apache Log4j to distribute a new modular PowerShell toolkit for nefarious purposes.

Detailed Tuesday by researchers at Check Point Software Technologies Ltd., the APT35 hacking group, also known as Phosphorous and Charming Kitten, was first detected exploiting Log4j only four days after the first vulnerability was disclosed. The attack setup is described as being rushed, since the group used only a basic open-source JNDI exploit kit.

Having gained access to a vulnerable service, the Iranian hackers then included a new modular PowerShell-based framework that has been dubbed “CharmPower.” The script is used to establish persistence, gather information and execute commands.

CharmPower has four main initial modules. The first validates a network connection and the second gathers basic system information such as Windows version, computer name and the content of various system files. The third module decodes the command and control domain retrieved from a hardcoded URL stored on an Amazon Web Services Inc. S3 bucket, while the final module receives, decrypts and executes follow-up modules.

Depending on the information gathered by the initial deployment, APT35 then deploys additional custom modules to facilitate data theft and hide its presence on the infected machine.

APT35 is a well-known hacking group that most famously was linked to attacks in 2020 targeting the Trump campaign, current and former U.S. government officials, journalists covering global politics and prominent Iranians living outside Iran. The group also targeted the Munich Security Conference later the same year.

“The research tying Log4Shell exploitation to Iranian APT Charming Kitten coincides, and somewhat conflicts, with a statement made by the US Cybersecurity Infrastructure and Security Agency on Jan. 10 which suggested there had been no significant intrusions tied to the bug at that time,” Chris Morgan, senior cyber threat Intelligence analyst at digital risk solutions provider Digital Shadows Ltd., told SiliconANGLE. “This likely emphasizes ongoing issues with incident disclosure and transparency, and the lag that can exist between threat actor activity and discovery.

John Bambenek, principal threat hunter at information technology service management company Netenrich Inc., said it’s not surprising that second-tier nation-state actors would leverage the opportunity presented by the log4j vulnerability in a rushed fashion.

“Any exploit of this severity would be latched upon by anyone looking to get a quick foothold and sometimes tactical windows open like this which means that you have to act quickly,” Bambenek said. “The bigger question is which intelligence agency was using this before the vulnerability was made public?”

The news that Iranian hackers were exploiting the Log4j vulnerabilities came as U.S. Cyber Command’s Cyber National Mission Force disclosed that it had identified multiple open-source tools that Iranian intelligence actors are using in networks around the world.

The disclosure related to an Iranian state-sponsored hacking group dubbed “MuddyWater.” The group has been linked to Iran’s Ministry of Intelligence and Security and primarily targets other nations in the Middle East and, on occasion, countries in Europe and North America.

Photo: Blondinrikard Fröberg/Flickr