Chargeweapon

ChargeWeapon is a malicious software (malware) that exploits compromised web servers to gain unauthorized access and gather sensitive data from infected systems. The malware was first identified on the Cobra DocGuard web server, where it was deployed as a previously unknown Go-based backdoor. This backdoor is designed to gather host data and transmit it to the command-and-control (C2) server in a base64-encoded form. The threat actors used the compromised Cobra DocGuard web server to deliver a McAfee binary and then employed DLL side-loading for the Cobalt Strike shellcode before deploying the ChargeWeapon backdoor. The functionality of ChargeWeapon extends beyond simple data collection. It is engineered to facilitate remote access, enabling attackers to control infected hosts remotely. Moreover, it sends device and network information from the compromised system to an attacker-controlled C2 server. To evade detection, ChargeWeapon uses simple evasion methods provided by the "garble" open-source tool. In one instance, the hackers exploited another attack vector by using a Cobra DocGuard web server to deliver a McAfee binary. They then used DLL side-loading for the Cobalt Strike shellcode and subsequently deployed the Go-based ChargeWeapon backdoor. It's crucial to note the indicators of compromise associated with ChargeWeapon. These include specific hash values related to HyperBro Loader and ChargeWeapon itself, along with certain IP addresses linked to the C2 server and second stage malware artifacts. Users are advised to protect themselves from vulnerabilities by using tools like Patch Manager Plus to patch over 850 third-party applications promptly. Once infected, the ChargeWeapon backdoor starts transmitting data about the compromised host in JSON format, obfuscated by base64 encoding.