PowGoop
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
PowGoop can send HTTP GET requests to malicious servers.(Citation: CYBERCOM Iranian Intel Cyber January 2022) |
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
PowGoop has the ability to use PowerShell scripts to execute commands.(Citation: DHS CISA AA22-055A MuddyWater February 2022) |
| Enterprise | T1132 | .002 | Data Encoding: Non-Standard Encoding |
PowGoop can use a modified Base64 encoding mechanism to send data to and from the C2 server.(Citation: CYBERCOM Iranian Intel Cyber January 2022) |
| Enterprise | T1574 | .002 | Hijack Execution Flow: DLL Side-Loading |
PowGoop can side-load `Goopdate.dll` into `GoogleUpdate.exe`.(Citation: DHS CISA AA22-055A MuddyWater February 2022)(Citation: CYBERCOM Iranian Intel Cyber January 2022) |
| Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
PowGoop has used a DLL named Goopdate.dll to impersonate a legitimate Google update file.(Citation: DHS CISA AA22-055A MuddyWater February 2022) |
Groups That Use This Software |
||
| ID | Name | References |
|---|---|---|
| G0069 | MuddyWater |
(Citation: DHS CISA AA22-055A MuddyWater February 2022) |
References
- Cyber National Mission Force. (2022, January 12). Iranian intel cyber suite of malware uses open source tools. Retrieved September 30, 2022.
- FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.