Threats Feed|APT35|Last Updated 15/08/2023|AuthorCertfa Radar|Publish Date11/01/2022

CharmPower: APT35's Modular Toolset Exploits Log4j Vulnerability

  • Actor Motivations: Espionage,Exfiltration
  • Attack Vectors: Code injection,Vulnerability Exploitation,Backdoor
  • Attack Complexity: High
  • Threat Risk: High Impact/High Probability

Threat Overview

APT35 has started widespread scanning and attempts to leverage the Log4j flaw in publicly facing systems only four days after the vulnerability was disclosed. The group used a modular PowerShell-based framework dubbed CharmPower for persistence, information gathering, and command execution.

Detected Targets

TypeDescriptionConfidence
RegionIsrael
High

Extracted IOCs

  • 0brandaeyes0[.]xyz
  • 0standavalue0[.]xyz
  • 0storageatools0[.]xyz
  • 144[.]217.138.155
  • 148[.]251.71.182
  • 54[.]38.49.6
download

Tip: 6 related IOCs (3 IP, 3 domain, 0 URL, 0 email, 0 file hash) to this threat have been found.

Overlaps

APT35APT35's Exploitation of Microsoft Exchange: Targeting Europe, Middle East, and North America

Source: AttackIQ - August 2023

Detection (one case): 148[.]251.71.182

Cobalt MirageUnveiling the Actors behind COBALT MIRAGE: A Ransomware Incident Analysis

Source: Secureworks - September 2022

Detection (one case): 148[.]251.71.182

UnknownIranian Cyber Actors Target Western Nations in Ransom and Extortion Campaigns

Source: CISA - September 2022

Detection (one case): 148[.]251.71.182

PhosphorusStealth in the System: PHOSPHORUS Exploits Exchange Server in Infrastructure Sector Attack

Source: Deep Instinct - June 2022

Detection (one case): 148[.]251.71.182

PhosphorusPowerLess Backdoor: Analyzing the Phosphorus Group's Cyber Espionage Tool

Source: Cybereason - February 2022

Detection (one case): 148[.]251.71.182

PhosphorusIranian-backed PHOSPHORUS Exploits Microsoft Exchange Vulnerabilities for Data Encryption

Source: The DFIR Report - November 2021

Detection (one case): 148[.]251.71.182

PhosphorusAutomated Scripts Used in Microsoft Exchange ProxyShell Attack By PHOSPHORUS

Source: The Dfir Report - March 2021

Detection (one case): 148[.]251.71.182

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.