APT35 Executes PowerShell-Based Malware in Log4j Flaw Attacks
Researchers are warning of a number of attacks launched by Iran-linked threat actor APT35, which have exploited the well-known Log4j vulnerability in order to deploy modular, PowerShell-based malware.
Like many other threat actors, APT35 began launching widespread scanning and exploitation attempts against the Log4j flaw (CVE-2021-44228) in publicly facing systems just four days after it was disclosed in December. As part of these attacks, the actors used a previously unobserved PowerShell-based framework, which researchers with Check Point Research called CharmPower, in order to establish persistence, gather data and execute commands.
“In these attacks, the actors still used the same or similar infrastructure as in many of their previous attacks,” said researchers with Check Point Research in a Tuesday analysis. “However, judging by their ability to take advantage of the Log4j vulnerability and by the code pieces of the CharmPower backdoor, the actors are able to change gears rapidly and actively develop different implementations for each stage of their attacks.”