POWERTON

Malware Profile Updated 2 months ago
Download STIX
Preview STIX
Powerton is a malicious software (malware) that is custom-built and written in PowerShell. It was designed to exploit and damage computer systems, often infiltrating these systems without the user's knowledge through suspicious downloads, emails, or websites. Once Powerton has infected a system, it can steal personal information, disrupt operations, and even hold data hostage for ransom. Powerton is unique in its code base, as FireEye has not identified any publicly available toolset with similar features, suggesting that it is likely custom-built. The malware was first discovered when HOLMIUM, an actor group, used it to gain an initial foothold by running their custom PowerShell backdoor directly from an Outlook process. This allowed them to install additional payloads on the endpoint with different persistence mechanisms such as WMI subscription (T1084) or registry autorun keys (T1060). Once control of the endpoint was achieved, the group spent hours exploring the victim’s network, enumerating user accounts and machines for additional compromise, and conducting lateral movement within the perimeter. The malware was also found to be downloaded and established by an AutoIt binary named “ClouldPackage.exe” via the POWERTON "persist" command. Powerton supports multiple persistence mechanisms, including WMI and auto-run registry key. The payload was crafted to download and execute Powerton hosted at various domains. Additionally, POSHC2 was used to download new variants of Powerton. FireEye detected this activity across their platform, including named detection for POSHC2, PUPYRAT, and Powerton. As a result, organizations are advised to hunt for Outlook home page shell and persistence to differentiate these payloads from other scripts.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
PoshC2
1
PoshC2 is a versatile tool that can be used for both benign and malicious purposes, similar to tools like nc or nmap. It is a proxy-aware stager that downloads and executes PowerShell payloads from a hardcoded command and control (C2) address. The software operates on the .NET framework and dynamica
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Fireeye
PoshC2
Backdoor
Implant
Exploit
Outlook
Malware
T1084
T1060
Ruler
Payload
Lateral Move...
exploitation
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
APT33has used
1
APT33, an Iran-linked threat actor, has been identified as a significant cyber threat to the Defense Industrial Base sector. The group is known for its sophisticated and malicious activities, which primarily involve executing actions with harmful intent. APT33, like other threat actors, could be a s
HOLMIUMUnspecified
1
Holmium, also known as Curious Serpens, Peach Sandstorm, APT33, Elfin, Magnallium, and Refined Kitten, is a threat actor that has been active since at least 2013. This group has been identified as having malicious intent and is often associated with cyber-espionage activities. They are believed to b
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the POWERTON Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
Inside Microsoft 365 Defender: Mapping attack chains from cloud to endpoint - Microsoft Security Blog
MITRE
a year ago
OVERRULED: Containing a Potentially Destructive Adversary | Mandiant