S1012 PowerLess
PowerLess is a PowerShell-based modular backdoor that has been used by Magic Hound since at least 2022.1
| Item | Value |
|---|---|
| ID | S1012 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 01 June 2022 |
| Last Modified | 28 March 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1560 | Archive Collected Data | PowerLess can encrypt browser database files prior to exfiltration.1 |
| enterprise | T1217 | Browser Information Discovery | PowerLess has a browser info stealer module that can read Chrome and Edge browser database files.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | PowerLess is written in and executed via PowerShell without using powershell.exe.1 |
| enterprise | T1005 | Data from Local System | PowerLess has the ability to exfiltrate data, including Chrome and Edge browser database files, from compromised machines.1 |
| enterprise | T1074 | Data Staged | - |
| enterprise | T1074.001 | Local Data Staging | PowerLess can stage stolen browser data in C:\\Windows\\Temp\\cup.tmp and keylogger data in C:\\Windows\\Temp\\Report.06E17A5A-7325-4325-8E5D-E172EBA7FC5BK.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | PowerLess can use base64 and AES ECB decryption prior to execution of downloaded modules.1 |
| enterprise | T1573 | Encrypted Channel | PowerLess can use an encrypted channel for C2 communications.1 |
| enterprise | T1105 | Ingress Tool Transfer | PowerLess can download additional payloads to a compromised host.1 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | PowerLess can use a module to log keystrokes.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0059 | Magic Hound | 1 |