APT35 (aka Charming Kitten, TA453, or Phosphorus), suspected of being an Iranian nation-state actor, started widespread scanning and attempted to leverage Log4j flaw in publicly facing systems only four days after the vulnerability was disclosed, according to new Check Point research. 

The actor’s attack setup was obviously rushed, Check Point says, as they used the basic open-source tool for the exploitation and based their operations on the previous infrastructure, making the attack easier to detect and attribute.

In the blog, Check Point shares the details of the latest attacks by APT35 exploiting the Log4j vulnerability and analyzes their post-exploitation activities, including the new modular PowerShell-based framework dubbed CharmPower, used to establish persistence, gather information and execute commands.

The research tying Log4Shell exploitation to Iranian APT Charming Kitten coincides, and somewhat conflicts, with a statement made by the U.S. Cybersecurity Infrastructure and Security Agency (CISA) on January 10, 2022, which suggested there had been no significant intrusions tied to the bug at that time, explains Chris Morgan, Senior Cyber Threat Intelligence Analyst at Digital Shadows, a San Francisco-based provider of digital risk protection solutions. “This likely emphasizes ongoing issues with incident disclosure and transparency and the lag that can exist between threat actor activity and discovery. As highlighted by CISA Director Jen Easterly, Log4Shell will undoubtedly be featured heavily in threat actor campaigns for a considerable amount of time. The full scale of impact from Log4Shell will likely not be known for several months. The research identified that Charming Kitten used a publicly available JNDI exploit kit published on Github but has since been removed. This will also likely serve as additional fuel to the debate regarding Github’s policy on proof of concept (PoC) exploit kits and malware samples hosted on their service; Github changed their policy in June 2021 to permit the removal of such items in order to minimize the risk of the exploits being used in live attacks. This decision was originally related to removing a PoC raised by a security researcher for the ProxyLogon Microsoft Exchange vulnerabilities, which was widely criticized by many in the security community. With Charming Kitten serving as a live example of how a public exploit can fall into the wrong hands quickly, the research’s findings may prove to be a justification of why their change in policy was a correct decision.”