PowerStallion

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
PowerStallion is a highly customized, lightweight PowerShell backdoor malware that exploits Microsoft OneDrive as its Command and Control (C&C) server. The main loop of the PowerStallion backdoor deploys using existing access methods, such as the PowerStallion PowerShell backdoor. It uses OneDrive via SMB for command and control, following the T1071 Standard Application Layer Protocol. This unique use of OneDrive credentials in the PowerStallion script allows it to effectively exfiltrate information through the C&C channel, aligning with the Exfiltration Over Command and Control Channel technique T1041. The payloads delivered by the PowerShell scripts, including the RPC backdoor and PowerStallion itself, are heavily tailored to each specific attack. PowerStallion also has the ability to send a list of running processes, adhering to the Process Discovery technique T1057. This gives it an added layer of insight into the target system, providing valuable data that can be used to further exploit vulnerabilities or disrupt operations. To ensure its stealthy operation, PowerStallion employs several evasion techniques. It modifies the timestamps of its log files, a method known as Timestomping (T1099), making it harder for cybersecurity tools to track its activities based on time stamps. Additionally, both the RPC backdoor and PowerStallion encrypt their log files, a tactic aligned with Defense Evasion technique T1027 (Obfuscated Files or Information). This makes the detection and analysis of the malware's activities significantly more challenging, enhancing its potential for damage and exploitation.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
PowerShell
T1041
T1099
T1071
T1027
T1057
Encrypt
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the PowerStallion Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Trend Micro
10 months ago
Examining the Activities of the Turla APT Group
MITRE
a year ago
A dive into Turla PowerShell usage | WeLiveSecurity