Thank you to Tidal Cyber and SOC Prime for becoming ATT&CK's first Benefactors. To join the cohort, or learn more about this program visit our Benefactors page.

PowerLess

PowerLess is a PowerShell-based modular backdoor that has been used by Magic Hound since at least 2022.^[1]

ID: S1012

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.1

Created: 01 June 2022

Last Modified: 28 March 2023

Version Permalink

Live Version

Techniques Used

Domain	ID		Name	Use
Enterprise	T1560		Archive Collected Data	PowerLess can encrypt browser database files prior to exfiltration.^[1]
Enterprise	T1217		Browser Information Discovery	PowerLess has a browser info stealer module that can read Chrome and Edge browser database files.^[1]
Enterprise	T1059	.001	Command and Scripting Interpreter: PowerShell	PowerLess is written in and executed via PowerShell without using powershell.exe.^[1]
Enterprise	T1005		Data from Local System	PowerLess has the ability to exfiltrate data, including Chrome and Edge browser database files, from compromised machines.^[1]
Enterprise	T1074	.001	Data Staged: Local Data Staging	PowerLess can stage stolen browser data in `C:\\Windows\\Temp\\cup.tmp` and keylogger data in `C:\\Windows\\Temp\\Report.06E17A5A-7325-4325-8E5D-E172EBA7FC5BK`.^[1]
Enterprise	T1140		Deobfuscate/Decode Files or Information	PowerLess can use base64 and AES ECB decryption prior to execution of downloaded modules.^[1]
Enterprise	T1573		Encrypted Channel	PowerLess can use an encrypted channel for C2 communications.^[1]
Enterprise	T1105		Ingress Tool Transfer	PowerLess can download additional payloads to a compromised host.^[1]
Enterprise	T1056	.001	Input Capture: Keylogging	PowerLess can use a module to log keystrokes.^[1]

Groups That Use This Software

ID	Name	References
G0059	Magic Hound	^[1]

References

Cybereason Nocturnus. (2022, February 1). PowerLess Trojan: Iranian APT Phosphorus Adds New PowerShell Backdoor for Espionage. Retrieved June 1, 2022.