CharmPower

CharmPower is a PowerShell-based, modular backdoor that has been used by Magic Hound since at least 2022.[1]

ID: S0674
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 24 January 2022
Last Modified: 25 January 2022

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

CharmPower can use HTTP to communicate with C2.[1]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

CharmPower can use PowerShell for payload execution and C2 communication.[1]

.003 Command and Scripting Interpreter: Windows Command Shell

The C# implementation of the CharmPower command execution module can use cmd.[1]

Enterprise T1132 .001 Data Encoding: Standard Encoding

CharmPower can send additional modules over C2 encoded with base64.[1]

Enterprise T1005 Data from Local System

CharmPower can collect data and files from a compromised host.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

CharmPower can decrypt downloaded modules prior to execution.[1]

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

CharmPower can send additional modules over C2 encrypted with a simple substitution cipher.[1]

Enterprise T1048 .003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol

CharmPower can send victim data via FTP with credentials hardcoded in the script.[1]

Enterprise T1041 Exfiltration Over C2 Channel

CharmPower can exfiltrate gathered data to a hardcoded C2 URL via HTTP POST.[1]

Enterprise T1008 Fallback Channels

CharmPower can change its C2 channel once every 360 loops by retrieving a new domain from the actors’ S3 bucket.[1]

Enterprise T1083 File and Directory Discovery

CharmPower can enumerate drives and list the contents of the C: drive on a victim's computer.[1]

Enterprise T1070 .004 Indicator Removal on Host: File Deletion

CharmPower can delete created files from a compromised system.[1]

Enterprise T1105 Ingress Tool Transfer

CharmPower has the ability to download additional modules to a compromised host.[1]

Enterprise T1112 Modify Registry

CharmPower can remove persistence-related artifacts from the Registry.[1]

Enterprise T1057 Process Discovery

CharmPower has the ability to list running processes through the use of tasklist.[1]

Enterprise T1012 Query Registry

CharmPower has the ability to enumerate Uninstall registry values.[1]

Enterprise T1113 Screen Capture

CharmPower has the ability to capture screenshots.[1]

Enterprise T1518 Software Discovery

CharmPower can list the installed applications on a compromised host.[1]

Enterprise T1082 System Information Discovery

CharmPower can enumerate the OS version and computer name on a targeted system.[1]

Enterprise T1016 System Network Configuration Discovery

CharmPower has the ability to use ipconfig to enumerate system network settings.[1]

Enterprise T1049 System Network Connections Discovery

CharmPower can use netsh wlan show profiles to list specific Wi-Fi profile details.[1]

Enterprise T1102 Web Service

CharmPower can download additional modules from actor-controlled Amazon S3 buckets.[1]

.001 Dead Drop Resolver

CharmPower can retrieve C2 domain information from actor-controlled S3 buckets.[1]

Enterprise T1047 Windows Management Instrumentation

CharmPower can use wmic to gather information from a system.[1]

Groups That Use This Software

ID Name References
G0059 Magic Hound

[1]

References