Openhunting Threat Library

PowerSpritz

PowerSpritz
(Type: Dropper, Downloader)

(Proofpoint) PowerSpritz is a Windows executable that hides both its legitimate payload and malicious PowerShell command using a non-standard implementation of the already rarely used Spritz encryption algorithm. PowerSpritz decrypts a legitimate Skype or Telegram installer using a custom Spritz implementation with the key “Znxkai@if8qa9w9489”. PowerSpritz then writes the legitimate installer to disk in the directory returned by GetTempPathA either as a hardcoded filename such as SkypeSetup.exe or, in some versions, as the filename returned by GetTempFileNameA. The installer is then executed to trick the potential victim into thinking they downloaded a legitimate, working application installer or update. Finally, Spritz uses the same key to decrypt a PowerShell command that downloads the first stage of {{PowerRatankba}}.

[News Analysis] Trends:

Total Trend: 1

Trend Per Year
1
2017


Trend Per Month
1
Dec 2017



[News Analysis] News Mention Another Threat Name:

3 - QUICKCAFE3 - PowerSpritz3 - Ghost RAT3 - PowerRatankba


[TTP Analysis] Technique Performance:



[TTP Analysis] Mitre Attack Matrix:

TA0043 TA0042 TA0001 TA0002 TA0003 TA0004 TA0005 TA0006 TA0007 TA0008 TA0009 TA0011 TA0010 TA0040
Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact


[Infrastructure Analysis] Based on Related IOC:

IP:Port Timestamp
Domain Timestamp
URL Timestamp


[Target Analysis] Region/Sector:

No information


References:

News Basic Information Indicator of Compromise Mitre Attack

News Article (Credit @Malpedia)

North Korea Bitten by Bitcoin Bug

2017-12-19 by Darien Huss from Proofpoint

Basic Information (Credit @etda.or.th)

Tool: PowerSpritz

Names: PowerSpritz

Description: (Proofpoint) PowerSpritz is a Windows executable that hides both its legitimate payload and malicious PowerShell command using a non-standard implementation of the already rarely used Spritz encryption algorithm. PowerSpritz decrypts a legitimate Skype or Telegram installer using a custom Spritz implementation with the key “Znxkai@if8qa9w9489”. PowerSpritz then writes the legitimate installer to disk in the directory returned by GetTempPathA either as a hardcoded filename such as SkypeSetup.exe or, in some versions, as the filename returned by GetTempFileNameA. The installer is then executed to trick the potential victim into thinking they downloaded a legitimate, working application installer or update. Finally, Spritz uses the same key to decrypt a PowerShell command that downloads the first stage of {{PowerRatankba}}.

Category: Malware

Type: Dropper, Downloader

Information: https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf

Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerspritz

Last-card-change: 2020-04-23

Source: https://apt.etda.or.th/cgi-bin/listtools.cgi

TA0043 TA0042 TA0001 TA0002 TA0003 TA0004 TA0005 TA0006 TA0007 TA0008 TA0009 TA0011 TA0010 TA0040
Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact