POWERTON

Powerton is a malicious software (malware) that is custom-built and written in PowerShell. It was designed to exploit and damage computer systems, often infiltrating these systems without the user's knowledge through suspicious downloads, emails, or websites. Once Powerton has infected a system, it can steal personal information, disrupt operations, and even hold data hostage for ransom. Powerton is unique in its code base, as FireEye has not identified any publicly available toolset with similar features, suggesting that it is likely custom-built. The malware was first discovered when HOLMIUM, an actor group, used it to gain an initial foothold by running their custom PowerShell backdoor directly from an Outlook process. This allowed them to install additional payloads on the endpoint with different persistence mechanisms such as WMI subscription (T1084) or registry autorun keys (T1060). Once control of the endpoint was achieved, the group spent hours exploring the victim’s network, enumerating user accounts and machines for additional compromise, and conducting lateral movement within the perimeter. The malware was also found to be downloaded and established by an AutoIt binary named “ClouldPackage.exe” via the POWERTON "persist" command. Powerton supports multiple persistence mechanisms, including WMI and auto-run registry key. The payload was crafted to download and execute Powerton hosted at various domains. Additionally, POSHC2 was used to download new variants of Powerton. FireEye detected this activity across their platform, including named detection for POSHC2, PUPYRAT, and Powerton. As a result, organizations are advised to hunt for Outlook home page shell and persistence to differentiate these payloads from other scripts.