Skip to content

S1046 PowGoop

PowGoop is a loader that consists of a DLL loader and a PowerShell-based downloader; it has been used by MuddyWater as their main loader.21

Item Value
ID S1046
Associated Names
Type MALWARE
Version 1.0
Created 29 September 2022
Last Modified 17 October 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols PowGoop can send HTTP GET requests to malicious servers.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell PowGoop has the ability to use PowerShell scripts to execute commands.2
enterprise T1132 Data Encoding -
enterprise T1132.002 Non-Standard Encoding PowGoop can use a modified Base64 encoding mechanism to send data to and from the C2 server.1
enterprise T1140 Deobfuscate/Decode Files or Information PowGoop can decrypt PowerShell scripts for execution.21
enterprise T1573 Encrypted Channel PowGoop can receive encrypted commands from C2.2
enterprise T1574 Hijack Execution Flow -
enterprise T1574.002 DLL Side-Loading PowGoop can side-load Goopdate.dll into GoogleUpdate.exe.21
enterprise T1036 Masquerading PowGoop has disguised a PowerShell script as a .dat file (goopdate.dat).2
enterprise T1036.005 Match Legitimate Name or Location PowGoop has used a DLL named Goopdate.dll to impersonate a legitimate Google update file.2

Groups That Use This Software

ID Name References
G0069 MuddyWater 2

References

  1. Cyber National Mission Force. (2022, January 12). Iranian intel cyber suite of malware uses open source tools. Retrieved September 30, 2022. 

  2. FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022.