Hackers assumed to be the part of Iranian APT35 state-backed group which is also known as ‘Charming Kitten’ or ‘Phosphorus’ have been observed leveraging Log4Shell attacks to drop a new PowerShell backdoor.

The modular payload can handle C2 communications, perform system enumeration, and finally receive, decrypt, and load additional modules. Log4Shell is an exploit for CVE-2021-44228, a critical remote code execution vulnerability in Apache Log4j revealed in December.

As per the researcher, APT35 was among the first to advantage the vulnerability before targets had an event to apply the security update, scanning for vulnerable systems these days after its public disclosures. A researcher, who has been following these attempts, attributes the exploit activity to APT35 as the attacker’s attack was promptly deployed using the previously exposed infrastructure known to be utilized by the group.

However, as part of their research, the analysts also spotted something new in the form of a PowerShell modular backdoor named ‘CharmPower.’

An Interchangeable Backdoor for Numerous Tasks

The exploitation of CVE-2021-44228 results in executing the PowerShell command with a base64-encoded payload, eventually enchanting the ‘CharmPower’ module from an actor-controlled Amazon S3 bucket.

This core module can execute the following main functions:

• Validate network connection – Upon execution, the script waits for an active internet connection by making HTTP POST requests to google.com with the parameter hi=hi.
• Basic system enumeration – The script collects the Windows OS version, computer name, and the contents of a file Ni.txt in $APPDATA path; the file is presumably created and filled by different modules that will be downloaded by the main module.
• Retrieve C&C domain – The malware decodes the C&C domain retrieved from a hardcoded URL which is located in the same S3 bucket from where the backdoor was downloaded.
• Receive, decrypt, and execute follow-up modules.

The core module keeps sending HTTP POST requests to the C2 that either go unanswered or receive a Base64 string which initiates the downloading of an additional PowerShell or C# module.   

‘CharmPower’ is responsible for decrypting and loading such modules, and these then establish an independent channel of communications with the C2.

The list of modules to be sent to the affected endpoint is generated automatically based on the basis of the system’s data retrieved by CharmPower during the reconnaissance phase.

The additional modules sent by the C2 are the following:

• Applications – Enumerates uninstall registry values and uses the “wmic” command to figure out which applications are installed on the infected system.
• Screenshot – Captures screenshots according to a specified frequency and uploads them to an FTP server using hardcoded credentials.
• Process – Grabs runs processes by using the tasklist command.
• System information – Runs the “systeminfo” command to gather system information. Has many more commands but are commented out.
• Command Execution – Remote command execution module featuring Invoke-Expression, cmd, and PowerShell options.
• Cleanup – Module to remove all traces left in the compromised system, like registry and startup folder entries, files, and processes. It’s dropped at the very end of the APT35 attacks.

What are the Similarities with the Previous Backdoors?  

A researcher has seen the similarities between ‘CharmPower’ and Android spyware utilized by APT35 in the past, which include implementing the same logging function and utilizing an identical format and syntax. Also, the ‘Stack=Overflow’ parameter in C2 communications is seen on both samples, which is a unique element only seen in APT35 tools.

These code similarities and infrastructure overlaps allowed Xiarch to attribute the operation to APT35. ‘CharmPower’ is an example of how quickly sophisticated actors can respond to the emergence of vulnerabilities like CVE-2021-44228 and put together code from previously exposed tools to create something potent and influential that can go further security and detection layers.