fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

State Hackers Use New PowerShell Backdoor in Log4j Attacks

State Hackers Use New PowerShell Backdoor in Log4j Attacks

Hackers believed to be part of the Iranian APT35 state-backed group (aka ‘Charming Kitten’ or ‘Phosphorus’) has been observed leveraging Log4Shell attacks to drop a new PowerShell backdoor.

The modular payload can handle C2 communications, perform system enumeration, and eventually receive, decrypt, and load additional modules.

Log4Shell is an exploit for CVE-2021-44228, a critical remote code execution vulnerability in Apache Log4j disclosed in December.

Also Read: Understanding The Data Intermediary In Data Protection

According to researchers from Check Point, APT35 was among the first to leverage the vulnerability before targets had an opportunity to apply security updates, scanning for vulnerable systems mere days after its public disclosure.

Check Point, who has been following these attempts, attributes the exploit activity to APT35 as the threat actor’s attacks were hastily set up using previously exposed infrastructure known to be used by the group.

However, as part of their research, the analysts also spotted something new in the form of a PowerShell modular backdoor named ‘CharmPower.’

A modular backdoor for multiple tasks

The exploitation of CVE-2021-44228 results in running a PowerShell command with a base64-encoded payload, eventually fetching the ‘CharmPower’ module from an actor-controlled Amazon S3 bucket.

Infection chain diagram on latest APT35 campaign
Infection chain diagram on latest APT35 campaign
Source: Check Point

This core module can perform the following main functions:

  • Validate network connection – Upon execution, the script waits for an active internet connection by making HTTP POST requests to google.com with the parameter hi=hi.
  • Basic system enumeration – The script collects the Windows OS version, computer name, and the contents of a file Ni.txt in $APPDATA path; the file is presumably created and filled by different modules that will be downloaded by the main module.
  • Retrieve C&C domain – The malware decodes the C&C domain retrieved from a hardcoded URL hxxps://s3[.]amazonaws[.]com/doclibrarysales/3 located in the same S3 bucket from where the backdoor was downloaded.
  • Receive, decrypt, and execute follow-up modules.

The core module keeps sending HTTP POST requests to the C2 that either go unanswered or receive a Base64 string which initiates the downloading of an additional PowerShell or C# module.

‘CharmPower’ is responsible for decrypting and loading these modules, and these then establish an independent channel of communication with the C2.

Also Read: How Being Data Protection Trained Can Help With Job Retention

Decoding additional modules fetched by the C2
Decoding additional modules fetched by the C2
Source: Check Point

The list of modules to be sent to the infected endpoint is generated automatically based on the basic system data retrieved by CharmPower during the reconnaissance phase.

The additional modules sent by the C2 are the following:

  • Applications – Enumerates uninstall registry values and uses the “wmic” command to figure out which applications are installed on the infected system.
  • Screenshot – Captures screenshots according to a specified frequency and uploads them to an FTP server using hardcoded credentials.
  • Process – Grabs running processes by using the tasklist command.
  • System information – Runs the “systeminfo” command to gather system information. Has many more commands but are commented out.
  • Command Execution – Remote command execution module featuring Invoke-Expression, cmd, and PowerShell options.
  • Cleanup – Module to remove all traces left in the compromised system, like registry and startup folder entries, files, and processes. It’s dropped at the very end of the APT35 attacks.
Cleanup module erasing all traces of activity
Cleanup module erasing all traces of activity
Source: Check Point

Similarities with old backdoors

Check Point noticed similarities between ‘CharmPower’ and an Android spyware used by APT35 in the past, including implementing the same logging functions and using an identical format and syntax.

Also, the “Stack=Overflow” parameter in C2 communications is seen on both samples, which is a unique element only seen in APT35 tools.

Same parameter used in both malware samples
Same parameter used in both malware samples
Source: Check Point

These code similarities and infrastructure overlaps allowed Check Point to attribute the campaign to APT35.

‘CharmPower’ is an example of how quickly sophisticated actors can respond to the emergence of vulnerabilities like CVE-2021-44228 and put together code from previously exposed tools to create something potent and effective that can go past security and detection layers.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us