APT35 CharmPower & Log4j

  |  Source: 

APT35 CharmPower & Log4j

Industry: N/A | Level: Tactical | Source: CheckPoint

Intelligence from CheckPoint shares threat activity from Iranian nation-state actor group - APT35 (aka Charming Kitten, TA453, or Phosphorus) exploiting the Log4j/CVE-2021-44228 vulnerability to distribute their PowerShell toolkit - CharmPower. As the tool’s name suggests, the exploitation chain following the successful Log4j exploit is heavily PowerShell based, and the malicious java class triggers an encoded PowerShell command to download a module from an Amazon S3 bucket executing a loader. CharmPower contains a variety of modules such as downloading additional payloads, system enumeration, data collection, and exfiltration.

  • Anvilogic Use Cases:
  • Suspicious process Spawned by Java
  • Encoded Powershell Command
  • Suspicious Executable by Powershell
  • Executable Process from Suspicious Folder

Get trending threats published weekly by the Anvilogic team.

Sign Up Now