POWERSTATS
Associated Software Descriptions |
|
Name | Description |
---|---|
Powermud | (Citation: Symantec MuddyWater Dec 2018) |
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1087 | .001 | Account Discovery: Local Account |
POWERSTATS can retrieve usernames from compromised hosts.(Citation: FireEye MuddyWater Mar 2018) |
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
POWERSTATS uses PowerShell for obfuscation and execution.(Citation: Unit 42 MuddyWater Nov 2017)(Citation: ClearSky MuddyWater Nov 2018)(Citation: TrendMicro POWERSTATS V3 June 2019)(Citation: DHS CISA AA22-055A MuddyWater February 2022) |
.005 | Command and Scripting Interpreter: Visual Basic |
POWERSTATS can use VBScript (VBE) code for execution.(Citation: ClearSky MuddyWater Nov 2018)(Citation: TrendMicro POWERSTATS V3 June 2019) |
||
.007 | Command and Scripting Interpreter: JavaScript |
POWERSTATS can use JavaScript code for execution.(Citation: ClearSky MuddyWater Nov 2018) |
||
Enterprise | T1132 | .001 | Data Encoding: Standard Encoding |
POWERSTATS encoded C2 traffic with base64.(Citation: Unit 42 MuddyWater Nov 2017) |
Enterprise | T1573 | .002 | Encrypted Channel: Asymmetric Cryptography |
POWERSTATS has encrypted C2 traffic with RSA.(Citation: FireEye MuddyWater Mar 2018) |
Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
POWERSTATS can disable Microsoft Office Protected View by changing Registry keys.(Citation: FireEye MuddyWater Mar 2018) |
Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
POWERSTATS can delete all files on the C:\, D:\, E:\ and, F:\ drives using PowerShell Remove-Item commands.(Citation: FireEye MuddyWater Mar 2018) |
Enterprise | T1559 | .001 | Inter-Process Communication: Component Object Model |
POWERSTATS can use DCOM (targeting the 127.0.0.1 loopback address) to execute additional payloads on compromised hosts.(Citation: FireEye MuddyWater Mar 2018) |
.002 | Inter-Process Communication: Dynamic Data Exchange |
POWERSTATS can use DDE to execute additional payloads on compromised hosts.(Citation: FireEye MuddyWater Mar 2018) |
||
Enterprise | T1036 | .004 | Masquerading: Masquerade Task or Service |
POWERSTATS has created a scheduled task named "MicrosoftEdge" to establish persistence.(Citation: ClearSky MuddyWater Nov 2018) |
Enterprise | T1027 | .001 | Obfuscated Files or Information: Binary Padding |
POWERSTATS has used useless code blocks to counter analysis.(Citation: TrendMicro POWERSTATS V3 June 2019) |
.010 | Obfuscated Files or Information: Command Obfuscation |
POWERSTATS uses character replacement, PowerShell environment variables, and XOR encoding to obfuscate code. POWERSTATS's backdoor code is a multi-layer obfuscated, encoded, and compressed blob. (Citation: FireEye MuddyWater Mar 2018)(Citation: ClearSky MuddyWater Nov 2018) POWERSTATS has used PowerShell code with custom string obfuscation (Citation: TrendMicro POWERSTATS V3 June 2019) |
||
Enterprise | T1090 | .002 | Proxy: External Proxy |
POWERSTATS has connected to C2 servers through proxies.(Citation: FireEye MuddyWater Mar 2018) |
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
POWERSTATS has established persistence through a scheduled task using the command |
Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
POWERSTATS has detected security tools.(Citation: FireEye MuddyWater Mar 2018) |
Enterprise | T1218 | .005 | System Binary Proxy Execution: Mshta |
POWERSTATS can use Mshta.exe to execute additional payloads on compromised hosts.(Citation: FireEye MuddyWater Mar 2018) |
Groups That Use This Software |
||
ID | Name | References |
---|---|---|
G0069 | MuddyWater |
(Citation: Unit 42 MuddyWater Nov 2017) (Citation: FireEye MuddyWater Mar 2018) (Citation: ClearSky MuddyWater Nov 2018) (Citation: Symantec MuddyWater Dec 2018) (Citation: ClearSky MuddyWater June 2019) |
References
- Lancaster, T.. (2017, November 14). Muddying the Water: Targeted Attacks in the Middle East. Retrieved March 15, 2018.
- ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018.
- Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018.
- Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
- Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020.
- ClearSky. (2019, June). Iranian APT group ‘MuddyWater’ Adds Exploits to Their Arsenal. Retrieved May 14, 2020.
- FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.