S1173 PowerExchange
PowerExchange is a PowerShell backdoor that has been used by OilRig since at least 2023 including against government targets in the Middle East.1
| Item | Value |
|---|---|
| ID | S1173 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 27 November 2024 |
| Last Modified | 27 November 2024 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.003 | Mail Protocols | PowerExchange can receive and send back the results of executed C2 commands through email.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | PowerExchange can use PowerShell to execute commands received from C2.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | PowerExchange can decode and decrypt C2 commands received via email.1 |
| enterprise | T1041 | Exfiltration Over C2 Channel | PowerExchange can exfiltrate files via its email C2 channel.1 |
| enterprise | T1105 | Ingress Tool Transfer | PowerExchange can decode Base64-encoded files and call WriteAllBytes to write the files to compromised hosts.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0049 | OilRig | 1 |