CharmPower: APT35's Modular Toolset Exploits Log4j Vulnerability
- Actor Motivations: Espionage,Exfiltration
- Attack Vectors: Code injection,Vulnerability Exploitation,Backdoor
- Attack Complexity: High
- Threat Risk: High Impact/High Probability
Threat Overview
APT35 has started widespread scanning and attempts to leverage the Log4j flaw in publicly facing systems only four days after the vulnerability was disclosed. The group used a modular PowerShell-based framework dubbed CharmPower for persistence, information gathering, and command execution.
Detected Targets
| Type | Description | Confidence |
|---|---|---|
| Region | Israel | High |
Extracted IOCs
- 0brandaeyes0[.]xyz
- 0standavalue0[.]xyz
- 0storageatools0[.]xyz
- 144[.]217.138.155
- 148[.]251.71.182
- 54[.]38.49.6
Tip: 6 related IOCs (3 IP, 3 domain, 0 URL, 0 email, 0 file hash) to this threat have been found.
Overlaps
Source: AttackIQ - August 2023
Detection (one case): 148[.]251.71.182
Source: Secureworks - September 2022
Detection (one case): 148[.]251.71.182
Source: CISA - September 2022
Detection (one case): 148[.]251.71.182
Source: Deep Instinct - June 2022
Detection (one case): 148[.]251.71.182
Source: Cybereason - February 2022
Detection (one case): 148[.]251.71.182
Source: The DFIR Report - November 2021
Detection (one case): 148[.]251.71.182
Source: The Dfir Report - March 2021
Detection (one case): 148[.]251.71.182
Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.