EclecticIQ
nav-solutions

Learn how EclecticIQ can help you address your specific challenges – by team and by need – and improve your overall security posture.

Solutions overview

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

nav-solutions

Learn how EclecticIQ can help you address your specific challenges – by team and by need – and improve your overall security posture.

Solutions overview

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

nav-solutions

Learn how EclecticIQ can help you address your specific challenges – by team and by need – and improve your overall security posture.

Solutions overview

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

nav-solutions

Learn how EclecticIQ can help you address your specific challenges – by team and by need – and improve your overall security posture.

Solutions overview

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

APT35 and AQUATIC PANDA Exploit the Log4j Vulnerability

This issue of The Analyst Prompt looks at APT35 and AQUATIC PANDA’s use of the Log4j exploit and a new webskimmer infecting real estate websites in a supply chain attack.

EclecticIQ Threat Research Team January 18, 2022

Exploit Tools and Targets: Threat Actors Continue to Leverage the Log4j Exploit

According to a recent research article by CrowdStrike, AQUATIC PANDA, a China-based group known for intelligence collection and industrial espionage, has been observed exploiting CVE-2021-44228 to target a large academic institution (1). The threat actor likely used a modified version of the Log4j exploit with the goal of installing a reverse shell and credential harvesting (1). The actor used a Base64-encoded PowerShell command to retrieve three files from a C2 server, which were decoded and believed to constitute the reverse shell (1). They made multiple attempts of credential harvesting using living-off-the-land binaries and dumping the LSASS process (1). AQUATIC PANDA used WinRAR to compress the memory dump for exfiltration and deleted all executables from ProgramData and Windows\temp\ directories to cover their activity (1).

Similarly, Checkpoint noted that APT35, a suspected Iranian nation-state actor known for espionage operations, exploited CVE-2021-44228 to install a modular PowerShell backdoor named CharmPower, which is used to gain persistence, collect information and execute commands (2). The exploit retrieves a malicious Java class which executes a PowerShell command with a base64-encoded payload to download the main module. The main module is responsible for validating the network connection, basic system enumeration, decode the command and control (C2) domain and to receive, decrypt and execute the following modules:

  • Applications module
  • Screenshot module
  • Processes Module
  • System Information Module
  • Command Execution module
  • Cleanup Module

AQUATIC PANDA’s and APT35’s recent use of the Log4j exploit highlights the continued risk CVE-2021-44228 poses to organizations. Nation-state and criminal groups added CVE-2021-42288 into their toolset from release (3), and the recent activity by AQUATIC PANDA and APT35 shows that advanced groups are still exploiting the vulnerability. This trend is almost certainly going to continue due to the ease of exploitation and the wide threat surface, with there being more than 2,800 distinct products that contain Log4j and an estimate of hundreds of millions of individual devices affected (4).

Malware: New Web Skimmer Targets Real Estate Websites

Researchers from Palo Alto Networks identified a new webskimmer which infected over 100 real estate websites through a supply chain attack (5). The unknown threat actor injected malicious JavaScript code into the player of a cloud video platform used by real estate websites (5). When the real estate sites imported the video, they became infected with the webskimmer (5). The webskimmer is designed to steal a user’s sensitive information they input into the real estate website such as credit card details, name, and email address (5).

Supply chain attacks are an increasing risk to organizations moving forward. The nature of the supply chain attack allows an actor to have oversized impact by successfully executing a single attack that affects multiple downstream stakeholders. Criminal and nation-state groups recognized this and are using supply chains attacks such as SolarWinds (6) and the Kaseya attack (7) to achieve their objectives. Organizations are likely to push for more visibility into their vendor security practices to reduce the risk posed by supply chain attacks.

About EclecticIQ Threat Research 

EclecticIQ is a global provider of threat intelligence, hunting, and response technology and services. Headquartered in Amsterdam, the EclecticIQ Threat Research team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government. 

We would love to hear from you. Please send us your feedback by emailing us at research@eclecticiq.com. 

Appendix

  1. https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/
  2. https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/
  3. https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/
  4. https://twitter.com/ericgeller/status/1480557042637099012
  5. https://unit42.paloaltonetworks.com/web-skimmer-video-distribution/
  6. https://www.mandiant.com/resources/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor
  7. https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689

Receive all our latest updates

Subscribe to receive the latest EclecticIQ news, event invites, and Threat Intelligence blog posts.

Explore all topics

© 2014 – 2022 EclecticIQ B.V.
EclecticIQ. Intelligence, Hunting, Response.
Get demo