SYMBOLCOMMON_NAMEaka. SYNONYMS
ps1.powerton (Back to overview)

POWERTON

Actor(s): APT33

There is no description at this point.

References
2020-07-13FireEyeAndrew Thompson, Aaron Stephens
@online{thompson:20200713:scandalous:15d59a2, author = {Andrew Thompson and Aaron Stephens}, title = {{SCANdalous! (External Detection Using Network Scan Data and Automation)}}, date = {2020-07-13}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/07/scandalous-external-detection-using-network-scan-data-and-automation.html}, language = {English}, urldate = {2020-07-15} } SCANdalous! (External Detection Using Network Scan Data and Automation)
POWERTON QUADAGENT PoshC2
2020-06-18MicrosoftMicrosoft Threat Protection Intelligence Team
@online{team:20200618:inside:4d53bcc, author = {Microsoft Threat Protection Intelligence Team}, title = {{Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint (APT33/HOLMIUM)}}, date = {2020-06-18}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/06/18/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint/}, language = {English}, urldate = {2020-06-19} } Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint (APT33/HOLMIUM)
POWERTON
2020-02-12TelsyTelsy
@online{telsy:20200212:meeting:085d775, author = {Telsy}, title = {{Meeting POWERBAND: The APT33 .NET POWERTON Variant}}, date = {2020-02-12}, organization = {Telsy}, url = {https://blog.telsy.com/meeting-powerband-the-apt33-net-powerton-variant/}, language = {English}, urldate = {2020-02-14} } Meeting POWERBAND: The APT33 .NET POWERTON Variant
POWERTON POWERBAND
2020SecureworksSecureWorks
@online{secureworks:2020:cobalt:8d36ac3, author = {SecureWorks}, title = {{COBALT TRINITY}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/cobalt-trinity}, language = {English}, urldate = {2020-05-23} } COBALT TRINITY
POWERTON pupy Imminent Monitor RAT Koadic Nanocore RAT NetWire RC PoshC2 APT33
2019-07-22One Night in NorfolkKevin Perlow
@online{perlow:20190722:apt33:3258e71, author = {Kevin Perlow}, title = {{APT33 PowerShell Malware}}, date = {2019-07-22}, organization = {One Night in Norfolk}, url = {https://norfolkinfosec.com/apt33-powershell-malware/}, language = {English}, urldate = {2020-05-19} } APT33 PowerShell Malware
POWERTON
2019-06-24SymantecBenjamin Moench
@online{moench:20190624:backdoorpowerton:0fef32a, author = {Benjamin Moench}, title = {{Backdoor.Powerton}}, date = {2019-06-24}, organization = {Symantec}, url = {https://www.symantec.com/security-center/writeup/2019-062513-4935-99}, language = {English}, urldate = {2020-01-12} } Backdoor.Powerton
POWERTON
2018-12-21FireEyeGeoff Ackerman, Rick Cole, Andrew Thompson, Alex Orleans, Nick Carr
@online{ackerman:20181221:overruled:74ac7b4, author = {Geoff Ackerman and Rick Cole and Andrew Thompson and Alex Orleans and Nick Carr}, title = {{OVERRULED: Containing a Potentially Destructive Adversary}}, date = {2018-12-21}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html}, language = {English}, urldate = {2019-12-20} } OVERRULED: Containing a Potentially Destructive Adversary
POWERTON PoshC2 pupy
Yara Rules
[TLP:WHITE] ps1_powerton_w0 (20190903 | No description)
rule ps1_powerton_w0 {
    meta:
        author = "jeFF0Falltrades"
        hash = "6bea9a7c9ded41afbebb72a11a1868345026d8e46d08b89577f30b50f4929e85"
        source = "https://github.com/jeFF0Falltrades/IoCs/blob/master/APT/powerton_apt_33.md"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerton"
        malpedia_version = "20190903"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $str_wmi = "Adding wmi persist ..." wide ascii
        $str_registery = "Poster \"Registery Value With Name" wide ascii
        $str_upload = "(New-Object Net.WebClient).UploadFile(\"$SRVURL$address\", \"$fullFilePath" wide ascii
        $str_pass = "jILHk{Yu1}2i0h^xe|t,d+Cy:KBv!l?7" wide ascii
        $str_addr = "$address=\"/contact/$BID$($global:rndPost)/confirm" wide ascii
        $str_png = "$env:temp + \"\\\" + $(date -format dd-m-y-HH-mm-s) + \".png" wide ascii
        $str_msg = "/contact/msg/$BID$($global:rndPost)" wide ascii
        $str_ua = "Mozilla/5.0 (Windows NT $osVer; rv:38.0) Gecko/20100101 Thunderbird/38.1.0 Lightning/4.0.2" wide ascii
        $domain = "backupaccount.net" wide ascii

    condition:
        2 of ($str*) or $domain
}
Download all Yara Rules