Skip to content

S0674 CharmPower

CharmPower is a PowerShell-based, modular backdoor that has been used by Magic Hound since at least 2022.1

Item Value
ID S0674
Associated Names
Version 1.0
Created 24 January 2022
Last Modified 25 January 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols CharmPower can use HTTP to communicate with C2.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell CharmPower can use PowerShell for payload execution and C2 communication.1
enterprise T1059.003 Windows Command Shell The C# implementation of the CharmPower command execution module can use cmd.1
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding CharmPower can send additional modules over C2 encoded with base64.1
enterprise T1005 Data from Local System CharmPower can collect data and files from a compromised host.1
enterprise T1140 Deobfuscate/Decode Files or Information CharmPower can decrypt downloaded modules prior to execution.1
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography CharmPower can send additional modules over C2 encrypted with a simple substitution cipher.1
enterprise T1048 Exfiltration Over Alternative Protocol -
enterprise T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol CharmPower can send victim data via FTP with credentials hardcoded in the script.1
enterprise T1041 Exfiltration Over C2 Channel CharmPower can exfiltrate gathered data to a hardcoded C2 URL via HTTP POST.1
enterprise T1008 Fallback Channels CharmPower can change its C2 channel once every 360 loops by retrieving a new domain from the actors’ S3 bucket.1
enterprise T1083 File and Directory Discovery CharmPower can enumerate drives and list the contents of the C: drive on a victim’s computer.1
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion CharmPower can delete created files from a compromised system.1
enterprise T1105 Ingress Tool Transfer CharmPower has the ability to download additional modules to a compromised host.1
enterprise T1112 Modify Registry CharmPower can remove persistence-related artifacts from the Registry.1
enterprise T1057 Process Discovery CharmPower has the ability to list running processes through the use of tasklist.1
enterprise T1012 Query Registry CharmPower has the ability to enumerate Uninstall registry values.1
enterprise T1113 Screen Capture CharmPower has the ability to capture screenshots.1
enterprise T1518 Software Discovery CharmPower can list the installed applications on a compromised host.1
enterprise T1082 System Information Discovery CharmPower can enumerate the OS version and computer name on a targeted system.1
enterprise T1016 System Network Configuration Discovery CharmPower has the ability to use ipconfig to enumerate system network settings.1
enterprise T1049 System Network Connections Discovery CharmPower can use netsh wlan show profiles to list specific Wi-Fi profile details.1
enterprise T1102 Web Service CharmPower can download additional modules from actor-controlled Amazon S3 buckets.1
enterprise T1102.001 Dead Drop Resolver CharmPower can retrieve C2 domain information from actor-controlled S3 buckets.1
enterprise T1047 Windows Management Instrumentation CharmPower can use wmic to gather information from a system.1

Groups That Use This Software

ID Name References
G0059 Magic Hound 1