POWERSTATS

POWERSTATS is a PowerShell-based first stage backdoor used by MuddyWater. [1]

ID: S0223
Associated Software: Powermud

Type: MALWARE
Platforms: Windows

Version: 2.0

Associated Software Descriptions

NameDescription
Powermud[4]

Techniques Used

DomainIDNameUse
EnterpriseT1087Account DiscoveryPOWERSTATS can retrieve usernames from compromised hosts.[2]
EnterpriseT1043Commonly Used PortPOWERSTATS has used port 80 for C2.[1]
EnterpriseT1090Connection ProxyPOWERSTATS has connected to C2 servers through proxies.[2]
EnterpriseT1132Data EncodingPOWERSTATS encoded C2 traffic with base64.[1]
EnterpriseT1005Data from Local SystemPOWERSTATS can upload files from compromised hosts.[2]
EnterpriseT1140Deobfuscate/Decode Files or InformationPOWERSTATS can deobfuscate the main backdoor code.[3]
EnterpriseT1089Disabling Security ToolsPOWERSTATS can disable Microsoft Office Protected View by changing Registry keys.[2]
EnterpriseT1175Distributed Component Object ModelPOWERSTATS can use DCOM (targeting the 127.0.0.1 loopback address) to execute additional payloads on compromised hosts.[2]
EnterpriseT1173Dynamic Data ExchangePOWERSTATS can use DDE to execute additional payloads on compromised hosts.[2]
EnterpriseT1107File DeletionPOWERSTATS can delete all files on the C:\, D:\, E:\ and, F:\ drives using PowerShell Remove-Item commands.[2]
EnterpriseT1036MasqueradingPOWERSTATS has created a scheduled task named "MicrosoftEdge" to establish persistence.[3]
EnterpriseT1170MshtaPOWERSTATS can use Mshta.exe to execute additional payloads on compromised hosts.[2]
EnterpriseT1027Obfuscated Files or InformationPOWERSTATS uses character replacement, PowerShell environment variables, and XOR encoding to obfuscate code. POWERSTATS's backdoor code is a multi-layer obfuscated, encoded, and compressed blob.[2][3]
EnterpriseT1086PowerShellPOWERSTATS uses PowerShell for obfuscation and execution.[1][3]
EnterpriseT1105Remote File CopyPOWERSTATS can retrieve and execute additional PowerShell payloads from the C2 server.[2]
EnterpriseT1053Scheduled TaskPOWERSTATS has established persistence through a scheduled task using the command ”C:\Windows\system32\schtasks.exe” /Create /F /SC DAILY /ST 12:00 /TN MicrosoftEdge /TR “c:\Windows\system32\wscript.exe C:\Windows\temp\Windows.vbe”.[3]
EnterpriseT1029Scheduled TransferPOWERSTATS can sleep for a given number of seconds.[2]
EnterpriseT1113Screen CapturePOWERSTATS can retrieve screenshots from compromised hosts.[2]
EnterpriseT1064ScriptingPOWERSTATS can use VBScript (VBE), PowerShell, and JavaScript code for execution.[3]
EnterpriseT1063Security Software DiscoveryPOWERSTATS has detected security tools.[2]
EnterpriseT1032Standard Cryptographic ProtocolPOWERSTATS has encrypted C2 traffic with RSA.[2]
EnterpriseT1082System Information DiscoveryPOWERSTATS can retrieve OS name/architecture and computer/domain name information from compromised hosts.[2]
EnterpriseT1016System Network Configuration DiscoveryPOWERSTATS can retrieve IP and network adapter configuration information from compromised hosts.[2]
EnterpriseT1065Uncommonly Used PortPOWERSTATS has used ports 8060 and 8888 for C2.[1]
EnterpriseT1047Windows Management InstrumentationPOWERSTATS can use WMI queries to retrieve data from compromised hosts.[2][3]

Groups

Groups that use this software:

MuddyWater

References