APT35 CharmPower & Log4j
Industry: N/A | Level: Tactical | Source: CheckPoint
Intelligence from CheckPoint shares threat activity from Iranian nation-state actor group - APT35 (aka Charming Kitten, TA453, or Phosphorus) exploiting the Log4j/CVE-2021-44228 vulnerability to distribute their PowerShell toolkit - CharmPower. As the tool’s name suggests, the exploitation chain following the successful Log4j exploit is heavily PowerShell based, and the malicious java class triggers an encoded PowerShell command to download a module from an Amazon S3 bucket executing a loader. CharmPower contains a variety of modules such as downloading additional payloads, system enumeration, data collection, and exfiltration.
- Anvilogic Use Cases:
- Suspicious process Spawned by Java
- Encoded Powershell Command
- Suspicious Executable by Powershell
- Executable Process from Suspicious Folder