POWERSTATS

Malware updated 2 months ago (2024-07-18T06:17:36.972Z)

Download STIX

Preview STIX

PowerStats is a malicious software (malware) created by the MuddyWater cyberespionage group, which is linked to Iran. This malware, written in PowerShell, was designed to exploit and damage computer systems, often infiltrating them without the user's knowledge through suspicious downloads, emails, or websites. Once inside a system, PowerStats can steal personal information, disrupt operations, or even hold data for ransom. The malware was initially used as a backdoor program by MuddyWater, but the group later shifted to using remote management software, according to Sekoia's advisory. The execution of the PowerStats payload has been carried out via various methods including CMSTP.exe, JavaScript files, mshta.exe, Virtual Basic Script (VBS) files, and macros. For instance, MuddyWater used mshta.exe not only to execute its PowerStats payload but also to pass a PowerShell one-liner for execution. To obfuscate the Command and Control (C2) location, MuddyWater controlled PowerStats from behind a proxy network. The group has also developed other malware sets such as PowGoop, Small Sieve, Canopy/Starwhale, Mori, and PowerStats for loading malware, backdoor access, persistence, and exfiltration. A new campaign likely attributed to Static Kitten, another name for the MuddyWater group, has been uncovered by Anomali Threat Research. Consistent with previous Static Kitten activity, this campaign uses tactics, techniques, and procedures that include the use of ScreenConnect launch parameters designed to target any MOFA with mfa[.]gov as part of the custom field. The group continues to use the PowerStats backdoor, running PowerShell scripts to maintain persistent access to victim systems, and multiple malware sets for various malicious activities.

Description last updated: 2024-07-18T06:15:43.620Z

What's your take? (Question 1 of 1)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
MuddyWater	2	MuddyWater is a notable threat actor group that has been associated with various cyber-attacks, primarily targeting organizations in the Middle East, particularly Israeli entities, but also extending its activities to other nations including India, Jordan, Portugal, Turkey, and Azerbaijan. The group

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Backdoor

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Source Document References

Information about the POWERSTATS Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
DARKReading	2 months ago	Iranian Threat Group Drops New Backdoor, 'BugSleep'
CERT-EU	a year ago	Cyber security week in review: June 30, 2023
MITRE	2 years ago	Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies
MITRE	2 years ago	Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks \| CISA
MITRE	2 years ago	Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms
MITRE	2 years ago	Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign \| Mandiant
MITRE	2 years ago	Telegram Malware Spotted in Latest Iranian Cyber Espionage Activity