1. Home
  2. Software
  3. PowerExchange

PowerExchange

PowerExchange is a PowerShell backdoor that has been used by OilRig since at least 2023 including against government targets in the Middle East.[1]

ID: S1173
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 27 November 2024
Last Modified: 27 November 2024
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1071 .003 Application Layer Protocol: Mail Protocols

PowerExchange can receive and send back the results of executed C2 commands through email.[1]
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

PowerExchange can use PowerShell to execute commands received from C2.[1]
Enterprise T1140 Deobfuscate/Decode Files or Information

PowerExchange can decode and decrypt C2 commands received via email.[1]
Enterprise T1041 Exfiltration Over C2 Channel

PowerExchange can exfiltrate files via its email C2 channel.[1]
Enterprise T1105 Ingress Tool Transfer

PowerExchange can decode Base64-encoded files and call WriteAllBytes to write the files to compromised hosts.[1]

Groups That Use This Software

ID Name References
G0049 OilRig

[1]

References

  1. Symantec Threat Hunter Team. (2023, October 19). Crambus: New Campaign Targets Middle Eastern Government. Retrieved November 27, 2024.