Register to stream ATT&CKcon 2.0 October 29-30


POWERSTATS is a PowerShell-based first stage backdoor used by MuddyWater. [1]

ID: S0223
Associated Software: Powermud
Platforms: Windows
Version: 2.0

Associated Software Descriptions

Name Description
Powermud [4]

Techniques Used

Domain ID Name Use
Enterprise T1087 Account Discovery POWERSTATS can retrieve usernames from compromised hosts. [2]
Enterprise T1043 Commonly Used Port POWERSTATS has used port 80 for C2. [1]
Enterprise T1090 Connection Proxy POWERSTATS has connected to C2 servers through proxies. [2]
Enterprise T1132 Data Encoding POWERSTATS encoded C2 traffic with base64. [1]
Enterprise T1005 Data from Local System POWERSTATS can upload files from compromised hosts. [2]
Enterprise T1140 Deobfuscate/Decode Files or Information POWERSTATS can deobfuscate the main backdoor code. [3]
Enterprise T1089 Disabling Security Tools POWERSTATS can disable Microsoft Office Protected View by changing Registry keys. [2]
Enterprise T1175 Distributed Component Object Model POWERSTATS can use DCOM (targeting the loopback address) to execute additional payloads on compromised hosts. [2]
Enterprise T1173 Dynamic Data Exchange POWERSTATS can use DDE to execute additional payloads on compromised hosts. [2]
Enterprise T1107 File Deletion POWERSTATS can delete all files on the C:\, D:\, E:\ and, F:\ drives using PowerShell Remove-Item commands. [2]
Enterprise T1036 Masquerading POWERSTATS has created a scheduled task named "MicrosoftEdge" to establish persistence. [3]
Enterprise T1170 Mshta POWERSTATS can use Mshta.exe to execute additional payloads on compromised hosts. [2]
Enterprise T1027 Obfuscated Files or Information POWERSTATS uses character replacement, PowerShell environment variables, and XOR encoding to obfuscate code. POWERSTATS's backdoor code is a multi-layer obfuscated, encoded, and compressed blob. [2] [3]
Enterprise T1086 PowerShell POWERSTATS uses PowerShell for obfuscation and execution. [1] [3]
Enterprise T1105 Remote File Copy POWERSTATS can retrieve and execute additional PowerShell payloads from the C2 server. [2]
Enterprise T1053 Scheduled Task POWERSTATS has established persistence through a scheduled task using the command ”C:\Windows\system32\schtasks.exe” /Create /F /SC DAILY /ST 12:00 /TN MicrosoftEdge /TR “c:\Windows\system32\wscript.exe C:\Windows\temp\Windows.vbe”. [3]
Enterprise T1029 Scheduled Transfer POWERSTATS can sleep for a given number of seconds. [2]
Enterprise T1113 Screen Capture POWERSTATS can retrieve screenshots from compromised hosts. [2]
Enterprise T1064 Scripting POWERSTATS can use VBScript (VBE), PowerShell, and JavaScript code for execution. [3]
Enterprise T1063 Security Software Discovery POWERSTATS has detected security tools. [2]
Enterprise T1032 Standard Cryptographic Protocol POWERSTATS has encrypted C2 traffic with RSA. [2]
Enterprise T1082 System Information Discovery POWERSTATS can retrieve OS name/architecture and computer/domain name information from compromised hosts. [2]
Enterprise T1016 System Network Configuration Discovery POWERSTATS can retrieve IP and network adapter configuration information from compromised hosts. [2]
Enterprise T1065 Uncommonly Used Port POWERSTATS has used ports 8060 and 8888 for C2. [1]
Enterprise T1047 Windows Management Instrumentation POWERSTATS can use WMI queries to retrieve data from compromised hosts. [2] [3]

Groups That Use This Software

ID Name References
G0069 MuddyWater [1] [2] [3] [4]