PowGoop is a loader that consists of a DLL loader and a PowerShell-based downloader; it has been used by MuddyWater as their main loader.[1][2]

ID: S1046
Platforms: Windows
Contributors: Ozer Sarilar, @ozersarilar, STM
Version: 1.0
Created: 29 September 2022
Last Modified: 17 October 2022

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

PowGoop can send HTTP GET requests to malicious servers.[2]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

PowGoop has the ability to use PowerShell scripts to execute commands.[1]

Enterprise T1132 .002 Data Encoding: Non-Standard Encoding

PowGoop can use a modified Base64 encoding mechanism to send data to and from the C2 server.[2]

Enterprise T1140 Deobfuscate/Decode Files or Information

PowGoop can decrypt PowerShell scripts for execution.[1][2]

Enterprise T1573 Encrypted Channel

PowGoop can receive encrypted commands from C2.[1]

Enterprise T1574 .002 Hijack Execution Flow: DLL Side-Loading

PowGoop can side-load Goopdate.dll into GoogleUpdate.exe.[1][2]

Enterprise T1036 Masquerading

PowGoop has disguised a PowerShell script as a .dat file (goopdate.dat).[1]

.005 Match Legitimate Name or Location

PowGoop has used a DLL named Goopdate.dll to impersonate a legitimate Google update file.[1]

Groups That Use This Software

ID Name References
G0069 MuddyWater