Check out the results from our first round of ATT&CK Evaluations at attackevals.mitre.org!

POSHSPY

POSHSPY is a backdoor that has been used by APT29 since at least 2015. It appears to be used as a secondary backdoor used if the actors lost access to their primary backdoors. [1]

ID: S0150
Aliases: POSHSPY
Type: MALWARE
Platforms: Windows

Version: 1.0

Alias Descriptions

NameDescription
POSHSPY[1]

Techniques Used

DomainIDNameUse
EnterpriseT1030Data Transfer Size LimitsPOSHSPY uploads data in 2048-byte chunks.[1]
EnterpriseT1027Obfuscated Files or InformationPOSHSPY appends a file signature header (randomly selected from six file types) to encrypted data prior to upload or download.[1]
EnterpriseT1086PowerShellPOSHSPY uses PowerShell to execute various commands, one to execute its payload.[1]
EnterpriseT1105Remote File CopyPOSHSPY downloads and executes additional PowerShell code and Windows binaries.[1]
EnterpriseT1032Standard Cryptographic ProtocolPOSHSPY encrypts C2 traffic with AES and RSA.[1]
EnterpriseT1099TimestompPOSHSPY modifies timestamps of all downloaded executables to match a randomly selected file created prior to 2013.[1]
EnterpriseT1084Windows Management Instrumentation Event SubscriptionPOSHSPY uses a WMI event subscription to establish persistence.[1]

Groups

Groups that use this software:

APT29

References