POWERTON

POWERTON is a custom PowerShell backdoor first observed in 2018. It has typically been deployed as a late-stage backdoor by APT33. At least two variants of the backdoor have been identified, with the later version containing improved functionality.[1]

ID: S0371
Type: MALWARE
Platforms: Windows

Version: 1.0

Techniques Used

DomainIDNameUse
EnterpriseT1043Commonly Used PortPOWERTON has used port 443 for C2 traffic. [1]
EnterpriseT1003Credential DumpingPOWERTON has the ability to dump password hashes.[1]
EnterpriseT1086PowerShellPOWERTON is written in PowerShell.[1]
EnterpriseT1060Registry Run Keys / Startup FolderPOWERTON can install a Registry Run key for persistence.[1]
EnterpriseT1071Standard Application Layer ProtocolPOWERTON has used HTTP/HTTPS for C2 traffic.[1]
EnterpriseT1032Standard Cryptographic ProtocolPOWERTON has used AES for encrypting C2 traffic.[1]
EnterpriseT1084Windows Management Instrumentation Event SubscriptionPOWERTON can use WMI for persistence.[1]

Groups

Groups that use this software:

APT33

References