POWRUNER

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
Powruner is a malicious software (malware) associated with other malware such as POWBAT and BONDUPDATER, and it's utilized by the Advanced Persistent Threat group APT34. The malware is designed to exploit and damage computer systems, often infiltrating via suspicious downloads, emails, or websites. In its recent campaign, APT34 exploited the Microsoft Office vulnerability CVE-2017-11882 to deploy Powruner and BondUpdater. This backdoor was delivered through a malicious .rtf file that exploited another vulnerability, CVE-2017-0199. The infrastructure and the Powruner tool have been publicly linked to Crambus by several vendors. The backdoor component, Powruner, operates as a PowerShell script that communicates with the Command & Control (C2) server, sending and receiving commands. If the server responds with the string "not_now," Powruner terminates its execution. However, if the response ends with '0', Powruner sends another random GET request to receive an additional command string. This malware can even capture screenshot images and send them to the C2 server if commanded to do so. The network communication between a Powruner client and server is complex, involving the generation of subdomains and the exchange of random numbers. APT34 has used Powruner and BondUpdater to target Middle Eastern organizations since at least July 2017. In that same month, FireEye Web MPS appliance detected and blocked a request to retrieve and install an APT34 Powruner/BondUpdater downloader file. The dupdatechecker.exe file drops both BondUpdater and Powruner into the system. Given the severity of this threat, it's crucial for organizations to maintain up-to-date security measures and educate employees about potential attack vectors, such as suspicious downloads, emails, or websites.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Crambus
1
The Iranian Crambus espionage group, also known as OilRig, APT34, and other aliases, is a threat actor with extensive expertise in long-term cyber-espionage campaigns. In the most recent attack between February and September 2023, this group infiltrated an unnamed Middle Eastern government's network
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Mimikatz
Vulnerability
Backdoor
Exploit
Malware
exploited
Exploits
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
BONDUPDATERUnspecified
1
BondUpdater is a malware first discovered by FireEye in mid-November 2017, when APT34 targeted a Middle Eastern governmental organization. This PowerShell-based Trojan is associated with other malicious programs such as POWBAT and POWRUNER. BondUpdater contains basic backdoor functionality that allo
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
APT34Unspecified
1
APT34, also known as OilRig, EUROPIUM, Hazel Sandstorm, and Crambus among other names, is a threat actor believed to be operating on behalf of the Iranian government. Operational since at least 2014, APT34 has been involved in long-term cyber espionage operations primarily focused on reconnaissance
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2017-11882Unspecified
1
CVE-2017-11882 is a software vulnerability present in Microsoft's Equation Editor, allowing for the execution of malicious code. This vulnerability was exploited by a tool known as Royal Road, which is shared among various Chinese state-sponsored groups. The tool facilitates the creation of harmful
CVE-2017-0199Unspecified
1
CVE-2017-0199 is a notable software vulnerability, specifically a flaw in the design or implementation of Microsoft Office's Object Linking and Embedding (OLE) feature. This vulnerability has been exploited over the years to spread various notorious malware families. In 2017, it was used to dissemin
Source Document References
Information about the POWRUNER Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments
MITRE
a year ago
New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit | Mandiant
MITRE
a year ago
Advanced Persistent Threats (APTs) | Threat Actors & Groups