Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Инструмент POWERSTATS
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Инструмент
POWERSTATS
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

POWERSTATS

POWERSTATS is a PowerShell-based first stage backdoor used by MuddyWater. (Citation: Unit 42 MuddyWater Nov 2017)
ID: S0223
Associated Software: Powermud
Type: MALWARE
Platforms: Windows
Version: 2.2
Created: 18 Apr 2018
Last Modified: 12 Oct 2022

Associated Software Descriptions
Name Description
Powermud (Citation: Symantec MuddyWater Dec 2018)

Techniques Used
Domain ID Name Use
Enterprise T1087 .001 Account Discovery: Local Account

POWERSTATS can retrieve usernames from compromised hosts.(Citation: FireEye MuddyWater Mar 2018)
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

POWERSTATS uses PowerShell for obfuscation and execution.(Citation: Unit 42 MuddyWater Nov 2017)(Citation: ClearSky MuddyWater Nov 2018)(Citation: TrendMicro POWERSTATS V3 June 2019)(Citation: DHS CISA AA22-055A MuddyWater February 2022)
.005 Command and Scripting Interpreter: Visual Basic

POWERSTATS can use VBScript (VBE) code for execution.(Citation: ClearSky MuddyWater Nov 2018)(Citation: TrendMicro POWERSTATS V3 June 2019)

.007 Command and Scripting Interpreter: JavaScript

POWERSTATS can use JavaScript code for execution.(Citation: ClearSky MuddyWater Nov 2018)

Enterprise T1132 .001 Data Encoding: Standard Encoding

POWERSTATS encoded C2 traffic with base64.(Citation: Unit 42 MuddyWater Nov 2017)
Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

POWERSTATS has encrypted C2 traffic with RSA.(Citation: FireEye MuddyWater Mar 2018)
Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

POWERSTATS can disable Microsoft Office Protected View by changing Registry keys.(Citation: FireEye MuddyWater Mar 2018)
Enterprise T1070 .004 Indicator Removal: File Deletion

POWERSTATS can delete all files on the C:\, D:\, E:\ and, F:\ drives using PowerShell Remove-Item commands.(Citation: FireEye MuddyWater Mar 2018)
Enterprise T1559 .001 Inter-Process Communication: Component Object Model

POWERSTATS can use DCOM (targeting the 127.0.0.1 loopback address) to execute additional payloads on compromised hosts.(Citation: FireEye MuddyWater Mar 2018)
.002 Inter-Process Communication: Dynamic Data Exchange

POWERSTATS can use DDE to execute additional payloads on compromised hosts.(Citation: FireEye MuddyWater Mar 2018)

Enterprise T1036 .004 Masquerading: Masquerade Task or Service

POWERSTATS has created a scheduled task named "MicrosoftEdge" to establish persistence.(Citation: ClearSky MuddyWater Nov 2018)
Enterprise T1027 .001 Obfuscated Files or Information: Binary Padding

POWERSTATS has used useless code blocks to counter analysis.(Citation: TrendMicro POWERSTATS V3 June 2019)
Enterprise T1090 .002 Proxy: External Proxy

POWERSTATS has connected to C2 servers through proxies.(Citation: FireEye MuddyWater Mar 2018)
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

POWERSTATS has established persistence through a scheduled task using the command ”C:\Windows\system32\schtasks.exe” /Create /F /SC DAILY /ST 12:00 /TN MicrosoftEdge /TR “c:\Windows\system32\wscript.exe C:\Windows\temp\Windows.vbe”.(Citation: ClearSky MuddyWater Nov 2018)
Enterprise T1518 .001 Software Discovery: Security Software Discovery

POWERSTATS has detected security tools.(Citation: FireEye MuddyWater Mar 2018)
Enterprise T1218 .005 System Binary Proxy Execution: Mshta

POWERSTATS can use Mshta.exe to execute additional payloads on compromised hosts.(Citation: FireEye MuddyWater Mar 2018)

Groups That Use This Software
ID Name References
G0069 MuddyWater

(Citation: Unit 42 MuddyWater Nov 2017) (Citation: FireEye MuddyWater Mar 2018) (Citation: ClearSky MuddyWater Nov 2018) (Citation: Symantec MuddyWater Dec 2018) (Citation: ClearSky MuddyWater June 2019)

References

  1. Lancaster, T.. (2017, November 14). Muddying the Water: Targeted Attacks in the Middle East. Retrieved March 15, 2018.
  2. ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018.
  3. Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018.
  4. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
  5. Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020.
  6. ClearSky. (2019, June). Iranian APT group ‘MuddyWater’ Adds Exploits to Their Arsenal. Retrieved May 14, 2020.
  7. FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.