S0223 POWERSTATS
POWERSTATS is a PowerShell-based first stage backdoor used by MuddyWater. 2
| Item | Value |
|---|---|
| ID | S0223 |
| Associated Names | Powermud |
| Type | MALWARE |
| Version | 2.3 |
| Created | 18 April 2018 |
| Last Modified | 22 March 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| Powermud | 3 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1087 | Account Discovery | - |
| enterprise | T1087.001 | Local Account | POWERSTATS can retrieve usernames from compromised hosts.4 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | POWERSTATS uses PowerShell for obfuscation and execution.2156 |
| enterprise | T1059.005 | Visual Basic | POWERSTATS can use VBScript (VBE) code for execution.15 |
| enterprise | T1059.007 | JavaScript | POWERSTATS can use JavaScript code for execution.1 |
| enterprise | T1132 | Data Encoding | - |
| enterprise | T1132.001 | Standard Encoding | POWERSTATS encoded C2 traffic with base64.2 |
| enterprise | T1005 | Data from Local System | POWERSTATS can upload files from compromised hosts.4 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | POWERSTATS can deobfuscate the main backdoor code.1 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.002 | Asymmetric Cryptography | POWERSTATS has encrypted C2 traffic with RSA.4 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.001 | Disable or Modify Tools | POWERSTATS can disable Microsoft Office Protected View by changing Registry keys.4 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | POWERSTATS can delete all files on the C:\, D:\, E:\ and, F:\ drives using PowerShell Remove-Item commands.4 |
| enterprise | T1105 | Ingress Tool Transfer | POWERSTATS can retrieve and execute additional PowerShell payloads from the C2 server.4 |
| enterprise | T1559 | Inter-Process Communication | - |
| enterprise | T1559.001 | Component Object Model | POWERSTATS can use DCOM (targeting the 127.0.0.1 loopback address) to execute additional payloads on compromised hosts.4 |
| enterprise | T1559.002 | Dynamic Data Exchange | POWERSTATS can use DDE to execute additional payloads on compromised hosts.4 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.004 | Masquerade Task or Service | POWERSTATS has created a scheduled task named “MicrosoftEdge” to establish persistence.1 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.001 | Binary Padding | POWERSTATS has used useless code blocks to counter analysis.5 |
| enterprise | T1027.010 | Command Obfuscation | POWERSTATS uses character replacement, PowerShell environment variables, and XOR encoding to obfuscate code. POWERSTATS‘s backdoor code is a multi-layer obfuscated, encoded, and compressed blob. 41 POWERSTATS has used PowerShell code with custom string obfuscation 5 |
| enterprise | T1057 | Process Discovery | POWERSTATS has used get_tasklist to discover processes on the compromised host.5 |
| enterprise | T1090 | Proxy | - |
| enterprise | T1090.002 | External Proxy | POWERSTATS has connected to C2 servers through proxies.4 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | POWERSTATS has established persistence through a scheduled task using the command ”C:\Windows\system32\schtasks.exe” /Create /F /SC DAILY /ST 12:00 /TN MicrosoftEdge /TR “c:\Windows\system32\wscript.exe C:\Windows\temp\Windows.vbe”.1 |
| enterprise | T1029 | Scheduled Transfer | POWERSTATS can sleep for a given number of seconds.4 |
| enterprise | T1113 | Screen Capture | POWERSTATS can retrieve screenshots from compromised hosts.45 |
| enterprise | T1518 | Software Discovery | - |
| enterprise | T1518.001 | Security Software Discovery | POWERSTATS has detected security tools.4 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.005 | Mshta | POWERSTATS can use Mshta.exe to execute additional payloads on compromised hosts.4 |
| enterprise | T1082 | System Information Discovery | POWERSTATS can retrieve OS name/architecture and computer/domain name information from compromised hosts.45 |
| enterprise | T1016 | System Network Configuration Discovery | POWERSTATS can retrieve IP, network adapter configuration information, and domain from compromised hosts.45 |
| enterprise | T1033 | System Owner/User Discovery | POWERSTATS has the ability to identify the username on the compromised host.5 |
| enterprise | T1047 | Windows Management Instrumentation | POWERSTATS can use WMI queries to retrieve data from compromised hosts.41 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0069 | MuddyWater | 24137 |
References
-
ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018. ↩↩↩↩↩↩↩↩↩
-
Lancaster, T.. (2017, November 14). Muddying the Water: Targeted Attacks in the Middle East. Retrieved March 15, 2018. ↩↩↩↩
-
Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018. ↩↩
-
Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020. ↩↩↩↩↩↩↩↩↩
-
FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022. ↩
-
ClearSky. (2019, June). Iranian APT group ‘MuddyWater’ Adds Exploits to Their Arsenal. Retrieved May 14, 2020. ↩