1. Home
  2. Software
  3. CharmPower

CharmPower

CharmPower is a PowerShell-based, modular backdoor that has been used by Magic Hound since at least 2022.[1]

ID: S0674
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 24 January 2022
Last Modified: 25 January 2022
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1047 Windows管理规范

CharmPower can use wmic to gather information from a system.[1]
Enterprise T1005 从本地系统获取数据

CharmPower can collect data and files from a compromised host.[1]
Enterprise T1112 修改注册表

CharmPower can remove persistence-related artifacts from the Registry.[1]
Enterprise T1573 .001 加密通道: Symmetric Cryptography

CharmPower can send additional modules over C2 encrypted with a simple substitution cipher.[1]
Enterprise T1140 反混淆/解码文件或信息

CharmPower can decrypt downloaded modules prior to execution.[1]
Enterprise T1059 .001 命令与脚本解释器: PowerShell

CharmPower can use PowerShell for payload execution and C2 communication.[1]
.003 命令与脚本解释器: Windows Command Shell

The C# implementation of the CharmPower command execution module can use cmd.[1]
Enterprise T1008 回退信道

CharmPower can change its C2 channel once every 360 loops by retrieving a new domain from the actors’ S3 bucket.[1]
Enterprise T1113 屏幕捕获

CharmPower has the ability to capture screenshots.[1]
Enterprise T1071 .001 应用层协议: Web Protocols

CharmPower can use HTTP to communicate with C2.[1]
Enterprise T1132 .001 数据编码: Standard Encoding

CharmPower can send additional modules over C2 encoded with base64.[1]
Enterprise T1083 文件和目录发现

CharmPower can enumerate drives and list the contents of the C: drive on a victim's computer.[1]
Enterprise T1048 .003 替代协议渗出: Exfiltration Over Unencrypted Non-C2 Protocol

CharmPower can send victim data via FTP with credentials hardcoded in the script.[1]
Enterprise T1012 查询注册表

CharmPower has the ability to enumerate Uninstall registry values.[1]
Enterprise T1070 .004 移除指标: File Deletion

CharmPower can delete created files from a compromised system.[1]
Enterprise T1082 系统信息发现

CharmPower can enumerate the OS version and computer name on a targeted system.[1]
Enterprise T1049 系统网络连接发现

CharmPower can use netsh wlan show profiles to list specific Wi-Fi profile details.[1]
Enterprise T1016 系统网络配置发现

CharmPower has the ability to use ipconfig to enumerate system network settings.[1]
Enterprise T1102 网络服务

CharmPower can download additional modules from actor-controlled Amazon S3 buckets.[1]
.001 Dead Drop Resolver

CharmPower can retrieve C2 domain information from actor-controlled S3 buckets.[1]
Enterprise T1518 软件发现

CharmPower can list the installed applications on a compromised host.[1]
Enterprise T1105 输入工具传输

CharmPower has the ability to download additional modules to a compromised host.[1]
Enterprise T1057 进程发现

CharmPower has the ability to list running processes through the use of tasklist.[1]
Enterprise T1041 通过C2信道渗出

CharmPower can exfiltrate gathered data to a hardcoded C2 URL via HTTP POST.[1]

Groups That Use This Software

ID Name References
G0059 Magic Hound

[1]

References

  1. Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022.