PowGoop

PowGoop is a malicious software (malware) employed by MuddyWater actors, an Iranian cyber threat group also known as TEMP.Zagros. This malware primarily functions as a loader in the group's nefarious operations and includes a DLL loader and a PowerShell-based downloader. The hackers have been observed using multiple malware sets including PowGoop, Small Sieve, Canopy/Starwhale, Mori, and POWERSTATS for loading malware, backdoor access, persistence, and exfiltration. They deploy sophisticated techniques such as side-loading DLLs to deceive legitimate programs into running malware and obfuscating PowerShell scripts to hide command and control (C2) functions. The Federal Bureau of Investigation (FBI), Cybersecurity & Infrastructure Security Agency (CISA), Cyber National Mission Force (CNMF), and National Cyber Security Centre UK (NCSC-UK) have noted recent use of various malware variants by MuddyWater actors. These include new versions of PowGoop, among others, as part of their malicious activities. In spear-phishing operations, the group has consistently updated its toolkit over the years, leveraging malware like POWERSTATS, POWGOOP, and MORIAGENT. Iranian hackers have utilized the PowGoop downloader, delivered via phishing emails, and exploited publicly known Microsoft Exchange server vulnerabilities to deliver Thanos ransomware. Open-source cyber research discovered PowGoop Loader variants in compromised networks, which de-obfuscate a PowerShell script enabling attacker command and control functions. Additional PowGoop variants, including C2 Beacon, Loader, and DLL Side-Loading variants, have been identified. These leverage different naming conventions, such as libpcre2-8-0.dll and vcruntime140.dll, to evade antivirus and manual detection, furthering their potential for espionage and ransomware activities.