Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

POWERSTATS

POWERSTATS is a PowerShell-based first stage backdoor used by MuddyWater. (Citation: Unit 42 MuddyWater Nov 2017)
ID: S0223
Associated Software: Powermud
Type: MALWARE
Platforms: Windows
Version: 2.3
Created: 18 Apr 2018
Last Modified: 22 Mar 2023

Associated Software Descriptions

Name Description
Powermud (Citation: Symantec MuddyWater Dec 2018)

Techniques Used

Domain ID Name Use
Enterprise T1087 .001 Account Discovery: Local Account

POWERSTATS can retrieve usernames from compromised hosts.(Citation: FireEye MuddyWater Mar 2018)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

POWERSTATS uses PowerShell for obfuscation and execution.(Citation: Unit 42 MuddyWater Nov 2017)(Citation: ClearSky MuddyWater Nov 2018)(Citation: TrendMicro POWERSTATS V3 June 2019)(Citation: DHS CISA AA22-055A MuddyWater February 2022)

.005 Command and Scripting Interpreter: Visual Basic

POWERSTATS can use VBScript (VBE) code for execution.(Citation: ClearSky MuddyWater Nov 2018)(Citation: TrendMicro POWERSTATS V3 June 2019)

.007 Command and Scripting Interpreter: JavaScript

POWERSTATS can use JavaScript code for execution.(Citation: ClearSky MuddyWater Nov 2018)

Enterprise T1132 .001 Data Encoding: Standard Encoding

POWERSTATS encoded C2 traffic with base64.(Citation: Unit 42 MuddyWater Nov 2017)

Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

POWERSTATS has encrypted C2 traffic with RSA.(Citation: FireEye MuddyWater Mar 2018)

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

POWERSTATS can disable Microsoft Office Protected View by changing Registry keys.(Citation: FireEye MuddyWater Mar 2018)

Enterprise T1070 .004 Indicator Removal: File Deletion

POWERSTATS can delete all files on the C:\, D:\, E:\ and, F:\ drives using PowerShell Remove-Item commands.(Citation: FireEye MuddyWater Mar 2018)

Enterprise T1559 .001 Inter-Process Communication: Component Object Model

POWERSTATS can use DCOM (targeting the 127.0.0.1 loopback address) to execute additional payloads on compromised hosts.(Citation: FireEye MuddyWater Mar 2018)

.002 Inter-Process Communication: Dynamic Data Exchange

POWERSTATS can use DDE to execute additional payloads on compromised hosts.(Citation: FireEye MuddyWater Mar 2018)

Enterprise T1036 .004 Masquerading: Masquerade Task or Service

POWERSTATS has created a scheduled task named "MicrosoftEdge" to establish persistence.(Citation: ClearSky MuddyWater Nov 2018)

Enterprise T1027 .001 Obfuscated Files or Information: Binary Padding

POWERSTATS has used useless code blocks to counter analysis.(Citation: TrendMicro POWERSTATS V3 June 2019)

.010 Obfuscated Files or Information: Command Obfuscation

POWERSTATS uses character replacement, PowerShell environment variables, and XOR encoding to obfuscate code. POWERSTATS's backdoor code is a multi-layer obfuscated, encoded, and compressed blob. (Citation: FireEye MuddyWater Mar 2018)(Citation: ClearSky MuddyWater Nov 2018) POWERSTATS has used PowerShell code with custom string obfuscation (Citation: TrendMicro POWERSTATS V3 June 2019)

Enterprise T1090 .002 Proxy: External Proxy

POWERSTATS has connected to C2 servers through proxies.(Citation: FireEye MuddyWater Mar 2018)

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

POWERSTATS has established persistence through a scheduled task using the command ”C:\Windows\system32\schtasks.exe” /Create /F /SC DAILY /ST 12:00 /TN MicrosoftEdge /TR “c:\Windows\system32\wscript.exe C:\Windows\temp\Windows.vbe”.(Citation: ClearSky MuddyWater Nov 2018)

Enterprise T1518 .001 Software Discovery: Security Software Discovery

POWERSTATS has detected security tools.(Citation: FireEye MuddyWater Mar 2018)

Enterprise T1218 .005 System Binary Proxy Execution: Mshta

POWERSTATS can use Mshta.exe to execute additional payloads on compromised hosts.(Citation: FireEye MuddyWater Mar 2018)

Groups That Use This Software

ID Name References
G0069 MuddyWater

(Citation: Unit 42 MuddyWater Nov 2017) (Citation: FireEye MuddyWater Mar 2018) (Citation: ClearSky MuddyWater Nov 2018) (Citation: Symantec MuddyWater Dec 2018) (Citation: ClearSky MuddyWater June 2019)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.