Chargeweapon

Malware Profile Updated 13 days ago
Download STIX
Preview STIX
ChargeWeapon is a malicious software (malware) that exploits compromised web servers to gain unauthorized access and gather sensitive data from infected systems. The malware was first identified on the Cobra DocGuard web server, where it was deployed as a previously unknown Go-based backdoor. This backdoor is designed to gather host data and transmit it to the command-and-control (C2) server in a base64-encoded form. The threat actors used the compromised Cobra DocGuard web server to deliver a McAfee binary and then employed DLL side-loading for the Cobalt Strike shellcode before deploying the ChargeWeapon backdoor. The functionality of ChargeWeapon extends beyond simple data collection. It is engineered to facilitate remote access, enabling attackers to control infected hosts remotely. Moreover, it sends device and network information from the compromised system to an attacker-controlled C2 server. To evade detection, ChargeWeapon uses simple evasion methods provided by the "garble" open-source tool. In one instance, the hackers exploited another attack vector by using a Cobra DocGuard web server to deliver a McAfee binary. They then used DLL side-loading for the Cobalt Strike shellcode and subsequently deployed the Go-based ChargeWeapon backdoor. It's crucial to note the indicators of compromise associated with ChargeWeapon. These include specific hash values related to HyperBro Loader and ChargeWeapon itself, along with certain IP addresses linked to the C2 server and second stage malware artifacts. Users are advised to protect themselves from vulnerabilities by using tools like Patch Manager Plus to patch over 850 third-party applications promptly. Once infected, the ChargeWeapon backdoor starts transmitting data about the compromised host in JSON format, obfuscated by base64 encoding.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Chargeweapon Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
7 months ago
Chinese Hackers Attacking Semiconductor Industries using Cobalt Strike beacon
CERT-EU
7 months ago
Chinese State-Sponsored Cyber Espionage Activity Targeting Semiconductor Industry in East Asia
CERT-EU
7 months ago
China-linked cyberspies backdoor semiconductor firms with Cobalt Strike
CERT-EU
7 months ago
Semiconductor firms targeted by Chinese hackers
CERT-EU
7 months ago
China-based spies are hacking East Asian semiconductor companies, report says | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting