Skip to content

S0223 POWERSTATS

POWERSTATS is a PowerShell-based first stage backdoor used by MuddyWater. 1

Item Value
ID S0223
Associated Names Powermud
Type MALWARE
Version 2.1
Created 18 April 2018
Last Modified 23 June 2020
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
Powermud 3

Techniques Used

Domain ID Name Use
enterprise T1087 Account Discovery -
enterprise T1087.001 Local Account POWERSTATS can retrieve usernames from compromised hosts.4
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell POWERSTATS uses PowerShell for obfuscation and execution.125
enterprise T1059.005 Visual Basic POWERSTATS can use VBScript (VBE) code for execution.25
enterprise T1059.007 JavaScript POWERSTATS can use JavaScript code for execution.2
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding POWERSTATS encoded C2 traffic with base64.1
enterprise T1005 Data from Local System POWERSTATS can upload files from compromised hosts.4
enterprise T1140 Deobfuscate/Decode Files or Information POWERSTATS can deobfuscate the main backdoor code.2
enterprise T1573 Encrypted Channel -
enterprise T1573.002 Asymmetric Cryptography POWERSTATS has encrypted C2 traffic with RSA.4
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools POWERSTATS can disable Microsoft Office Protected View by changing Registry keys.4
enterprise T1070 Indicator Removal on Host -
enterprise T1070.004 File Deletion POWERSTATS can delete all files on the C:\, D:\, E:\ and, F:\ drives using PowerShell Remove-Item commands.4
enterprise T1105 Ingress Tool Transfer POWERSTATS can retrieve and execute additional PowerShell payloads from the C2 server.4
enterprise T1559 Inter-Process Communication -
enterprise T1559.001 Component Object Model POWERSTATS can use DCOM (targeting the 127.0.0.1 loopback address) to execute additional payloads on compromised hosts.4
enterprise T1559.002 Dynamic Data Exchange POWERSTATS can use DDE to execute additional payloads on compromised hosts.4
enterprise T1036 Masquerading -
enterprise T1036.004 Masquerade Task or Service POWERSTATS has created a scheduled task named “MicrosoftEdge” to establish persistence.2
enterprise T1027 Obfuscated Files or Information POWERSTATS uses character replacement, PowerShell environment variables, and XOR encoding to obfuscate code. POWERSTATS‘s backdoor code is a multi-layer obfuscated, encoded, and compressed blob. 42 POWERSTATS has used PowerShell code with custom string obfuscation 5
enterprise T1027.001 Binary Padding POWERSTATS has used useless code blocks to counter analysis.5
enterprise T1057 Process Discovery POWERSTATS has used get_tasklist to discover processes on the compromised host.5
enterprise T1090 Proxy -
enterprise T1090.002 External Proxy POWERSTATS has connected to C2 servers through proxies.4
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task POWERSTATS has established persistence through a scheduled task using the command ”C:\Windows\system32\schtasks.exe” /Create /F /SC DAILY /ST 12:00 /TN MicrosoftEdge /TR “c:\Windows\system32\wscript.exe C:\Windows\temp\Windows.vbe”.2
enterprise T1029 Scheduled Transfer POWERSTATS can sleep for a given number of seconds.4
enterprise T1113 Screen Capture POWERSTATS can retrieve screenshots from compromised hosts.45
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery POWERSTATS has detected security tools.4
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.005 Mshta POWERSTATS can use Mshta.exe to execute additional payloads on compromised hosts.4
enterprise T1082 System Information Discovery POWERSTATS can retrieve OS name/architecture and computer/domain name information from compromised hosts.45
enterprise T1016 System Network Configuration Discovery POWERSTATS can retrieve IP, network adapter configuration information, and domain from compromised hosts.45
enterprise T1033 System Owner/User Discovery POWERSTATS has the ability to identify the username on the compromised host.5
enterprise T1047 Windows Management Instrumentation POWERSTATS can use WMI queries to retrieve data from compromised hosts.42

Groups That Use This Software

ID Name References
G0069 MuddyWater 14236

References

Back to top