POWRUNER

POWRUNER
(Type: Backdoor)

(FireEye) POWRUNER is a PowerShell script that sends and receives commands to and from the C2 server.

[News Analysis] Trends:

Total Trend: 2

Trend Per Year
1
2018
1
2019


Trend Per Month
1
Apr 2018
1
Aug 2019



[News Analysis] News Mention Another Threat Name:

11 - TwoFace11 - BONDUPDATER11 - POWRUNER11 - QUADAGENT11 - Helminth11 - ISMAgent11 - Karkoff11 - LONGWATCH11 - OopsIE11 - PICKPOCKET11 - RGDoor11 - VALUEVAULT


[TTP Analysis] Technique Performance:

reconnaissance
0/43
resource development
0/45
initial access
0/19
execution
4/36
persistence
1/113
privilege escalation
1/96
defense evasion
0/184
credential access
0/63
discovery
11/44
lateral movement
0/22
collection
1/37
command and control
4/39
exfiltration
0/18
impact
0/26


[TTP Analysis] Mitre Attack Matrix:

TA0043 TA0042 TA0001 TA0002 TA0003 TA0004 TA0005 TA0006 TA0007 TA0008 TA0009 TA0011 TA0010 TA0040
Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
T1059.001
Command And Scripting Interpreter : Powershell
T1059.003
Command And Scripting Interpreter : Windows Command Shell
T1053.005
Scheduled Task/job : Scheduled Task
T1047
Windows Management Instrumentation
T1053.005
Scheduled Task/job : Scheduled Task
T1053.005
Scheduled Task/job : Scheduled Task
T1087.002
Account Discovery : Domain Account
T1083
File And Directory Discovery
T1069.001
Permission Groups Discovery : Local Groups
T1069.002
Permission Groups Discovery : Domain Groups
T1057
Process Discovery
T1012
Query Registry
T1518.001
Software Discovery : Security Software Discovery
T1082
System Information Discovery
T1016
System Network Configuration Discovery
T1049
System Network Connections Discovery
T1033
System Owner/user Discovery
T1113
Screen Capture
T1071.001
Application Layer Protocol : Web Protocols
T1071.004
Application Layer Protocol : Dns
T1132.001
Data Encoding : Standard Encoding
T1105
Ingress Tool Transfer


[Infrastructure Analysis] Based on Related IOC:

IP:Port Timestamp
Domain Timestamp
URL Timestamp


[Target Analysis] Region/Sector:

No information


References:

Basic Information (Credit @etda.or.th)

Tool: POWRUNER

Names: POWRUNER

Description: (FireEye) POWRUNER is a PowerShell script that sends and receives commands to and from the C2 server.

Category: Malware

Type: Backdoor

Information: https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html

Information: https://www.boozallen.com/s/insight/blog/dark-labs-discovers-apt34-malware-variants.html

Mitre-attack: https://attack.mitre.org/software/S0184/

Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powruner

Alienvault-otx: https://otx.alienvault.com/browse/pulses?q=tag:powruner

Last-card-change: 2020-05-13

Source: https://apt.etda.or.th/cgi-bin/listtools.cgi

TTP Info (Credit @Mitre)

TA0043 TA0042 TA0001 TA0002 TA0003 TA0004 TA0005 TA0006 TA0007 TA0008 TA0009 TA0011 TA0010 TA0040
Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
T1059.001
COMMAND AND SCRIPTING INTERPRETER : POWERSHELL
powruner is written in powershell.
T1059.003
COMMAND AND SCRIPTING INTERPRETER : WINDOWS COMMAND SHELL
powruner can execute commands from its c2 server.
T1053.005
SCHEDULED TASK/JOB : SCHEDULED TASK
powruner persists through a scheduled task that executes it every minute.
T1047
WINDOWS MANAGEMENT INSTRUMENTATION
powruner may use wmi when collecting information about a victim.
T1053.005
SCHEDULED TASK/JOB : SCHEDULED TASK
powruner persists through a scheduled task that executes it every minute.
T1053.005
SCHEDULED TASK/JOB : SCHEDULED TASK
powruner persists through a scheduled task that executes it every minute.
T1087.002
ACCOUNT DISCOVERY : DOMAIN ACCOUNT
powruner may collect user account information by running net user /domain or a series of other commands on a victim.
T1083
FILE AND DIRECTORY DISCOVERY
powruner may enumerate user directories on a victim.
T1069.001
PERMISSION GROUPS DISCOVERY : LOCAL GROUPS
powruner may collect local group information by running net localgroup administrators or a series of other commands on a victim.
T1069.002
PERMISSION GROUPS DISCOVERY : DOMAIN GROUPS
powruner may collect domain group information by running net group /domain or a series of other commands on a victim.
T1057
PROCESS DISCOVERY
powruner may collect process information by running tasklist on a victim.
T1012
QUERY REGISTRY
powruner may query the registry by running reg query on a victim.
T1518.001
SOFTWARE DISCOVERY : SECURITY SOFTWARE DISCOVERY
powruner may collect information on the victim's anti-virus software.
T1082
SYSTEM INFORMATION DISCOVERY
powruner may collect information about the system by running hostname and systeminfo on a victim.
T1016
SYSTEM NETWORK CONFIGURATION DISCOVERY
powruner may collect network configuration data by running ipconfig /all on a victim.
T1049
SYSTEM NETWORK CONNECTIONS DISCOVERY
powruner may collect active network connections by running netstat -an on a victim.
T1033
SYSTEM OWNER/USER DISCOVERY
powruner may collect information about the currently logged in user by running whoami on a victim.
T1113
SCREEN CAPTURE
powruner can capture a screenshot from a victim.
T1071.001
APPLICATION LAYER PROTOCOL : WEB PROTOCOLS
powruner can use http for c2 communications.
T1071.004
APPLICATION LAYER PROTOCOL : DNS
powruner can use dns for c2 communications.
T1132.001
DATA ENCODING : STANDARD ENCODING
powruner can use base64 encoded c2 communications.
T1105
INGRESS TOOL TRANSFER
powruner can download or upload files from its c2 server.