CharmPower
CharmPower is a PowerShell-based, modular backdoor that has been used by Magic Hound since at least 2022.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
CharmPower can use HTTP to communicate with C2.[1] |
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
CharmPower can use PowerShell for payload execution and C2 communication.[1] |
| .003 | Command and Scripting Interpreter: Windows Command Shell |
The C# implementation of the CharmPower command execution module can use |
||
| Enterprise | T1132 | .001 | Data Encoding: Standard Encoding |
CharmPower can send additional modules over C2 encoded with base64.[1] |
| Enterprise | T1005 | Data from Local System |
CharmPower can collect data and files from a compromised host.[1] |
|
| Enterprise | T1140 | Deobfuscate/Decode Files or Information |
CharmPower can decrypt downloaded modules prior to execution.[1] |
|
| Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
CharmPower can send additional modules over C2 encrypted with a simple substitution cipher.[1] |
| Enterprise | T1048 | .003 | Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol |
CharmPower can send victim data via FTP with credentials hardcoded in the script.[1] |
| Enterprise | T1041 | Exfiltration Over C2 Channel |
CharmPower can exfiltrate gathered data to a hardcoded C2 URL via HTTP POST.[1] |
|
| Enterprise | T1008 | Fallback Channels |
CharmPower can change its C2 channel once every 360 loops by retrieving a new domain from the actors’ S3 bucket.[1] |
|
| Enterprise | T1083 | File and Directory Discovery |
CharmPower can enumerate drives and list the contents of the C: drive on a victim's computer.[1] |
|
| Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
CharmPower can delete created files from a compromised system.[1] |
| Enterprise | T1105 | Ingress Tool Transfer |
CharmPower has the ability to download additional modules to a compromised host.[1] |
|
| Enterprise | T1112 | Modify Registry |
CharmPower can remove persistence-related artifacts from the Registry.[1] |
|
| Enterprise | T1057 | Process Discovery |
CharmPower has the ability to list running processes through the use of |
|
| Enterprise | T1012 | Query Registry |
CharmPower has the ability to enumerate |
|
| Enterprise | T1113 | Screen Capture |
CharmPower has the ability to capture screenshots.[1] |
|
| Enterprise | T1518 | Software Discovery |
CharmPower can list the installed applications on a compromised host.[1] |
|
| Enterprise | T1082 | System Information Discovery |
CharmPower can enumerate the OS version and computer name on a targeted system.[1] |
|
| Enterprise | T1016 | System Network Configuration Discovery |
CharmPower has the ability to use |
|
| Enterprise | T1049 | System Network Connections Discovery |
CharmPower can use |
|
| Enterprise | T1102 | Web Service |
CharmPower can download additional modules from actor-controlled Amazon S3 buckets.[1] |
|
| .001 | Dead Drop Resolver |
CharmPower can retrieve C2 domain information from actor-controlled S3 buckets.[1] |
||
| Enterprise | T1047 | Windows Management Instrumentation |
CharmPower can use |
|
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0059 | Magic Hound |