A New PowerShell Backdoor Is Being Used in Log4j Attacks

At the end of 2021 proof-of-concept exploits for a significant zero-day vulnerability discovered in the widely used Apache Log4j Java-based logging library were distributed online, exposing both home users and businesses to continuous remote code execution assaults.

The vulnerability, officially tagged as CVE-2021-44228 and called Log4Shell or LogJam, is an unauthenticated RCE vulnerability that allows total system takeover on systems running Log4j 2.0-beta9 through 2.14.1.

What Happened?

As reported by BleepingComputer, the hackers involved in the attack are suspected of being members of the Iranian APT35 state-backed organization (also known as ‘Charming Kitten‘ or ‘Phosphorus’) and have been seen using Log4Shell assaults to install a new PowerShell backdoor.

The modular payload is capable of handling C2 communications, system enumeration, and ultimately receiving, decrypting, and loading other modules.

Source

APT35 was among the first malicious actor to exploit the vulnerability before targets had a chance to apply security fixes, searching for vulnerable PCs just days after it was made public.

Exploiting CVE-2021-44228 causes a PowerShell command with a base64-encoded payload to be executed, finally retrieving the ‘CharmPower’ module from an actor-controlled Amazon S3 bucket. The core module is able to perform a number of functions, as it can validate network connection, create basic

Read More: https://heimdalsecurity.com/blog/a-new-powershell-backdoor-is-being-used-in-log4j-attacks/