POWRUNER

Powruner is a malicious software (malware) associated with other malware such as POWBAT and BONDUPDATER, and it's utilized by the Advanced Persistent Threat group APT34. The malware is designed to exploit and damage computer systems, often infiltrating via suspicious downloads, emails, or websites. In its recent campaign, APT34 exploited the Microsoft Office vulnerability CVE-2017-11882 to deploy Powruner and BondUpdater. This backdoor was delivered through a malicious .rtf file that exploited another vulnerability, CVE-2017-0199. The infrastructure and the Powruner tool have been publicly linked to Crambus by several vendors. The backdoor component, Powruner, operates as a PowerShell script that communicates with the Command & Control (C2) server, sending and receiving commands. If the server responds with the string "not_now," Powruner terminates its execution. However, if the response ends with '0', Powruner sends another random GET request to receive an additional command string. This malware can even capture screenshot images and send them to the C2 server if commanded to do so. The network communication between a Powruner client and server is complex, involving the generation of subdomains and the exchange of random numbers. APT34 has used Powruner and BondUpdater to target Middle Eastern organizations since at least July 2017. In that same month, FireEye Web MPS appliance detected and blocked a request to retrieve and install an APT34 Powruner/BondUpdater downloader file. The dupdatechecker.exe file drops both BondUpdater and Powruner into the system. Given the severity of this threat, it's crucial for organizations to maintain up-to-date security measures and educate employees about potential attack vectors, such as suspicious downloads, emails, or websites.