1. Home
  2. Software
  3. PowerShower

PowerShower

PowerShower is a PowerShell backdoor used by Inception for initial reconnaissance and to download and execute second stage payloads.[1][2]

ID: S0441
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 08 May 2020
Last Modified: 20 May 2020
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1112 修改注册表

PowerShower has added a registry key so future powershell.exe instances are spawned off-screen by default, and has removed all registry entries that are left behind during the dropper process.[1]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

PowerShower sets up persistence with a Registry run key.[1]
Enterprise T1059 .001 命令与脚本解释器: PowerShell

PowerShower is a backdoor written in PowerShell.[1]
.005 命令与脚本解释器: Visual Basic

PowerShower has the ability to save and execute VBScript.[1]
Enterprise T1071 .001 应用层协议: Web Protocols

PowerShower has sent HTTP GET and POST requests to C2 servers to send information and receive instructions.[1]
Enterprise T1560 .001 归档收集数据: Archive via Utility

PowerShower has used 7Zip to compress .txt, .pdf, .xls or .doc files prior to exfiltration.[2]
Enterprise T1132 .001 数据编码: Standard Encoding

PowerShower has the ability to encode C2 communications with base64 encoding.[1][2]
Enterprise T1070 .004 移除指标: File Deletion

PowerShower has the ability to remove all files created during the dropper process.[1]
Enterprise T1082 系统信息发现

PowerShower has collected system information on the infected host.[1]
Enterprise T1033 系统所有者/用户发现

PowerShower has the ability to identify the current user on the infected host.[2]
Enterprise T1016 系统网络配置发现

PowerShower has the ability to identify the current Windows domain of the infected host.[2]
Enterprise T1057 进程发现

PowerShower has the ability to deploy a reconnaissance module to retrieve a list of the active processes.[2]
Enterprise T1041 通过C2信道渗出

PowerShower has used a PowerShell document stealer module to pack and exfiltrate .txt, .pdf, .xls or .doc files smaller than 5MB that were modified during the past two days.[2]
Enterprise T1564 .003 隐藏伪装: Hidden Window

PowerShower has added a registry key so future powershell.exe instances are spawned with coordinates for a window position off-screen by default.[1]

Groups That Use This Software

ID Name References
G0100 Inception

[1]

References

  1. Lancaster, T. (2018, November 5). Inception Attackers Target Europe with Year-old Office Vulnerability. Retrieved May 8, 2020.
  1. GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020.