PowerStallion

PowerStallion is a sophisticated malware developed in C++, designed to exploit and damage computer systems. It operates as a lightweight PowerShell backdoor, using Microsoft OneDrive as its command and control (C&C) server. This unique approach allows the malware to deliver highly customized payloads via PowerShell scripts and an RPC backdoor. The threat actor deploys PowerStallion using existing access methods, such as PowerShell implants, making it a stealthy and adaptable threat. The malware exhibits a range of advanced techniques, as categorized by the MITRE ATT&CK framework. For instance, it employs Exfiltration Over Command and Control Channel (T1041), where it exfiltrates information through the C&C channel. In terms of command and control, it uses a Standard Application Layer Protocol (T1071), with the RPC backdoor utilizing RPC and PowerStallion using OneDrive via SMB. PowerStallion also conducts Process Discovery (T1057) by sending the list of running processes, and Timestomp (T1099) where it modifies the timestamps of its log file for evasion. Furthermore, PowerStallion demonstrates defense evasion capabilities through Obfuscated Files or Information (T1027). Both the RPC backdoor and PowerStallion encrypt the log file, adding another layer of complexity to its operations. The combination of these techniques makes PowerStallion a formidable threat, capable of stealing personal information, disrupting operations, and potentially holding data hostage for ransom. Its use of OneDrive for C&C purposes underscores the evolving nature of malware threats, which continue to leverage mainstream platforms and services for malicious activities.