PowerShower

PowerShower is a PowerShell backdoor used by Inception for initial reconnaissance and to download and execute second stage payloads.[1][2]

ID: S0441
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 08 May 2020
Last Modified: 20 May 2020

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

PowerShower has sent HTTP GET and POST requests to C2 servers to send information and receive instructions.[1]

Enterprise T1560 .001 Archive Collected Data: Archive via Utility

PowerShower has used 7Zip to compress .txt, .pdf, .xls or .doc files prior to exfiltration.[2]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

PowerShower sets up persistence with a Registry run key.[1]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

PowerShower is a backdoor written in PowerShell.[1]

.005 Command and Scripting Interpreter: Visual Basic

PowerShower has the ability to save and execute VBScript.[1]

Enterprise T1132 .001 Data Encoding: Standard Encoding

PowerShower has the ability to encode C2 communications with base64 encoding.[1][2]

Enterprise T1041 Exfiltration Over C2 Channel

PowerShower has used a PowerShell document stealer module to pack and exfiltrate .txt, .pdf, .xls or .doc files smaller than 5MB that were modified during the past two days.[2]

Enterprise T1564 .003 Hide Artifacts: Hidden Window

PowerShower has added a registry key so future powershell.exe instances are spawned with coordinates for a window position off-screen by default.[1]

Enterprise T1070 .004 Indicator Removal on Host: File Deletion

PowerShower has the ability to remove all files created during the dropper process.[1]

Enterprise T1112 Modify Registry

PowerShower has added a registry key so future powershell.exe instances are spawned off-screen by default, and has removed all registry entries that are left behind during the dropper process.[1]

Enterprise T1057 Process Discovery

PowerShower has the ability to deploy a reconnaissance module to retrieve a list of the active processes.[2]

Enterprise T1082 System Information Discovery

PowerShower has collected system information on the infected host.[1]

Enterprise T1016 System Network Configuration Discovery

PowerShower has the ability to identify the current Windows domain of the infected host.[2]

Enterprise T1033 System Owner/User Discovery

PowerShower has the ability to identify the current user on the infected host.[2]

Groups That Use This Software

ID Name References
G0100 Inception

[1]

References