Nothing Special   »   [go: up one dir, main page]
  1. Home
  2. Software
  3. PowerShower

PowerShower

PowerShower is a PowerShell backdoor used by Inception for initial reconnaissance and to download and execute second stage payloads.[1][2]

ID: S0441
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 08 May 2020
Last Modified: 20 May 2020
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

PowerShower has sent HTTP GET and POST requests to C2 servers to send information and receive instructions.[1]
Enterprise T1560 .001 Archive Collected Data: Archive via Utility

PowerShower has used 7Zip to compress .txt, .pdf, .xls or .doc files prior to exfiltration.[2]
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

PowerShower sets up persistence with a Registry run key.[1]
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

PowerShower is a backdoor written in PowerShell.[1]
.005 Command and Scripting Interpreter: Visual Basic

PowerShower has the ability to save and execute VBScript.[1]
Enterprise T1132 .001 Data Encoding: Standard Encoding

PowerShower has the ability to encode C2 communications with base64 encoding.[1][2]
Enterprise T1041 Exfiltration Over C2 Channel

PowerShower has used a PowerShell document stealer module to pack and exfiltrate .txt, .pdf, .xls or .doc files smaller than 5MB that were modified during the past two days.[2]
Enterprise T1564 .003 Hide Artifacts: Hidden Window

PowerShower has added a registry key so future powershell.exe instances are spawned with coordinates for a window position off-screen by default.[1]
Enterprise T1070 .004 Indicator Removal: File Deletion

PowerShower has the ability to remove all files created during the dropper process.[1]
Enterprise T1112 Modify Registry

PowerShower has added a registry key so future powershell.exe instances are spawned off-screen by default, and has removed all registry entries that are left behind during the dropper process.[1]
Enterprise T1057 Process Discovery

PowerShower has the ability to deploy a reconnaissance module to retrieve a list of the active processes.[2]
Enterprise T1082 System Information Discovery

PowerShower has collected system information on the infected host.[1]
Enterprise T1016 System Network Configuration Discovery

PowerShower has the ability to identify the current Windows domain of the infected host.[2]
Enterprise T1033 System Owner/User Discovery

PowerShower has the ability to identify the current user on the infected host.[2]

Groups That Use This Software

ID Name References
G0100 Inception

[1]

References

  1. Lancaster, T. (2018, November 5). Inception Attackers Target Europe with Year-old Office Vulnerability. Retrieved May 8, 2020.
  1. GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020.