SYMBOLCOMMON_NAMEaka. SYNONYMS
ps1.powerstats (Back to overview)

POWERSTATS

aka: Valyria

Actor(s): MuddyWater


POWERSTATS is a backdoor written in powershell.
It has the ability to disable Microsoft Office Protected View, fingerprint the victim and receive commands.

References
2020-01-15Marco Ramilli's BlogMarco Ramilli
@online{ramilli:20200115:iranian:d37840a, author = {Marco Ramilli}, title = {{Iranian Threat Actors: Preliminary Analysis}}, date = {2020-01-15}, organization = {Marco Ramilli's Blog}, url = {https://marcoramilli.com/2020/01/15/iranian-threat-actors-preliminary-analysis/}, language = {English}, urldate = {2020-01-17} } Iranian Threat Actors: Preliminary Analysis
POWERSTATS
2020-01-07PrevailionDanny Adamitis
@online{adamitis:20200107:summer:637a53f, author = {Danny Adamitis}, title = {{Summer Mirage}}, date = {2020-01-07}, organization = {Prevailion}, url = {https://blog.prevailion.com/2020/01/summer-mirage.html}, language = {English}, urldate = {2020-01-12} } Summer Mirage
POWERSTATS
2020SecureworksSecureWorks
@online{secureworks:2020:cobalt:e50c4e9, author = {SecureWorks}, title = {{COBALT ULSTER}}, date = {2020}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/cobalt-ulster}, language = {English}, urldate = {2020-05-27} } COBALT ULSTER
POWERSTATS Koadic MuddyWater
2019-08-01Kaspersky LabsGReAT
@online{great:20190801:trends:5e25d5b, author = {GReAT}, title = {{APT trends report Q2 2019}}, date = {2019-08-01}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2019/91897/}, language = {English}, urldate = {2020-08-13} } APT trends report Q2 2019
ZooPark magecart POWERSTATS Chaperone COMpfun EternalPetya FinFisher RAT HawkEye Keylogger HOPLIGHT Microcin NjRAT Olympic Destroyer PLEAD RokRAT Triton Zebrocy Microcin
2019-06-10Trend MicroDaniel Lunghi, Jaromír Hořejší
@online{lunghi:20190610:muddywater:b87a78a, author = {Daniel Lunghi and Jaromír Hořejší}, title = {{MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools}}, date = {2019-06-10}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/}, language = {English}, urldate = {2019-11-27} } MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools
POWERSTATS
2019-04-15ClearSkyClearSky Research Team
@online{team:20190415:iranian:5a7f4ff, author = {ClearSky Research Team}, title = {{Iranian APT MuddyWater Attack Infrastructure Targeting Kurdish Political Groups and Organizations in Turkey}}, date = {2019-04-15}, organization = {ClearSky}, url = {https://www.clearskysec.com/muddywater-targets-kurdish-groups-turkish-orgs/}, language = {English}, urldate = {2020-01-07} } Iranian APT MuddyWater Attack Infrastructure Targeting Kurdish Political Groups and Organizations in Turkey
POWERSTATS MuddyWater
2018-11-28ClearSkyClearSky Research Team
@online{team:20181128:muddywater:89a520f, author = {ClearSky Research Team}, title = {{MuddyWater Operations in Lebanon and Oman}}, date = {2018-11-28}, organization = {ClearSky}, url = {https://www.clearskysec.com/muddywater-operations-in-lebanon-and-oman/}, language = {English}, urldate = {2019-07-09} } MuddyWater Operations in Lebanon and Oman
POWERSTATS
2018-03-13FireEyeSudeep Singh, Dileep Kumar Jallepalli, Yogesh Londhe, Ben Read
@online{singh:20180313:iranian:3542dc9, author = {Sudeep Singh and Dileep Kumar Jallepalli and Yogesh Londhe and Ben Read}, title = {{Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign}}, date = {2018-03-13}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html}, language = {English}, urldate = {2019-12-20} } Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign
POWERSTATS MuddyWater
2018-03-12Trend MicroJaromír Hořejší
@online{hoej:20180312:campaign:00eb661, author = {Jaromír Hořejší}, title = {{Campaign Possibly Connected to “MuddyWater” Surfaces in the Middle East and Central Asia}}, date = {2018-03-12}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/campaign-possibly-connected-muddywater-surfaces-middle-east-central-asia/}, language = {English}, urldate = {2020-01-13} } Campaign Possibly Connected to “MuddyWater” Surfaces in the Middle East and Central Asia
POWERSTATS MuddyWater
2017-11-22ReaqtaReaqta
@online{reaqta:20171122:dive:5c67031, author = {Reaqta}, title = {{A dive into MuddyWater APT targeting Middle-East}}, date = {2017-11-22}, organization = {Reaqta}, url = {https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/}, language = {English}, urldate = {2020-01-08} } A dive into MuddyWater APT targeting Middle-East
POWERSTATS
2017-11-14Palo Alto Networks Unit 42Tom Lancaster
@online{lancaster:20171114:muddying:aa0467a, author = {Tom Lancaster}, title = {{Muddying the Water: Targeted Attacks in the Middle East}}, date = {2017-11-14}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/}, language = {English}, urldate = {2020-01-08} } Muddying the Water: Targeted Attacks in the Middle East
POWERSTATS MuddyWater
2017-09-26MalwarebytesMalwarebytes Labs
@online{labs:20170926:elaborate:bed9adc, author = {Malwarebytes Labs}, title = {{Elaborate scripting-fu used in espionage attack against Saudi Arabia Government entity}}, date = {2017-09-26}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/09/elaborate-scripting-fu-used-in-espionage-attack-against-saudi-arabia-government_entity/}, language = {English}, urldate = {2019-12-20} } Elaborate scripting-fu used in espionage attack against Saudi Arabia Government entity
POWERSTATS

There is no Yara-Signature yet.