APT35 CharmPower & Log4j

Industry: N/A | Level: Tactical | Source: CheckPoint

Intelligence from CheckPoint shares threat activity from Iranian nation-state actor group - APT35 (aka Charming Kitten, TA453, or Phosphorus) exploiting the Log4j/CVE-2021-44228 vulnerability to distribute their PowerShell toolkit - CharmPower. As the tool’s name suggests, the exploitation chain following the successful Log4j exploit is heavily PowerShell based, and the malicious java class triggers an encoded PowerShell command to download a module from an Amazon S3 bucket executing a loader. CharmPower contains a variety of modules such as downloading additional payloads, system enumeration, data collection, and exfiltration.

• Anvilogic Use Cases:
• Suspicious process Spawned by Java
• Encoded Powershell Command
• Suspicious Executable by Powershell
• Executable Process from Suspicious Folder