APT35 and AQUATIC PANDA Exploit the Log4j Vulnerability

Exploit Tools and Targets: Threat Actors Continue to Leverage the Log4j Exploit

According to a recent research article by CrowdStrike, AQUATIC PANDA, a China-based group known for intelligence collection and industrial espionage, has been observed exploiting CVE-2021-44228 to target a large academic institution (1). The threat actor likely used a modified version of the Log4j exploit with the goal of installing a reverse shell and credential harvesting (1). The actor used a Base64-encoded PowerShell command to retrieve three files from a C2 server, which were decoded and believed to constitute the reverse shell (1). They made multiple attempts of credential harvesting using living-off-the-land binaries and dumping the LSASS process (1). AQUATIC PANDA used WinRAR to compress the memory dump for exfiltration and deleted all executables from ProgramData and Windows\temp\ directories to cover their activity (1).

Similarly, Checkpoint noted that APT35, a suspected Iranian nation-state actor known for espionage operations, exploited CVE-2021-44228 to install a modular PowerShell backdoor named CharmPower, which is used to gain persistence, collect information and execute commands (2). The exploit retrieves a malicious Java class which executes a PowerShell command with a base64-encoded payload to download the main module. The main module is responsible for validating the network connection, basic system enumeration, decode the command and control (C2) domain and to receive, decrypt and execute the following modules:

• Applications module
• Screenshot module
• Processes Module
• System Information Module
• Command Execution module
• Cleanup Module

AQUATIC PANDA’s and APT35’s recent use of the Log4j exploit highlights the continued risk CVE-2021-44228 poses to organizations. Nation-state and criminal groups added CVE-2021-42288 into their toolset from release (3), and the recent activity by AQUATIC PANDA and APT35 shows that advanced groups are still exploiting the vulnerability. This trend is almost certainly going to continue due to the ease of exploitation and the wide threat surface, with there being more than 2,800 distinct products that contain Log4j and an estimate of hundreds of millions of individual devices affected (4).

Malware: New Web Skimmer Targets Real Estate Websites

Researchers from Palo Alto Networks identified a new webskimmer which infected over 100 real estate websites through a supply chain attack (5). The unknown threat actor injected malicious JavaScript code into the player of a cloud video platform used by real estate websites (5). When the real estate sites imported the video, they became infected with the webskimmer (5). The webskimmer is designed to steal a user’s sensitive information they input into the real estate website such as credit card details, name, and email address (5).

Supply chain attacks are an increasing risk to organizations moving forward. The nature of the supply chain attack allows an actor to have oversized impact by successfully executing a single attack that affects multiple downstream stakeholders. Criminal and nation-state groups recognized this and are using supply chains attacks such as SolarWinds (6) and the Kaseya attack (7) to achieve their objectives. Organizations are likely to push for more visibility into their vendor security practices to reduce the risk posed by supply chain attacks.

About EclecticIQ Threat Research 

EclecticIQ is a global provider of threat intelligence, hunting, and response technology and services. Headquartered in Amsterdam, the EclecticIQ Threat Research team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government. 

We would love to hear from you. Please send us your feedback by emailing us at research@eclecticiq.com. 

Appendix

1. https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/
2. https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/
3. https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/
4. https://twitter.com/ericgeller/status/1480557042637099012
5. https://unit42.paloaltonetworks.com/web-skimmer-video-distribution/
6. https://www.mandiant.com/resources/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor
7. https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689