Names | POSHSPY | |
Category | Malware | |
Type | Backdoor | |
Description | (FireEye) POSHSPY makes the most of using built-in Windows features – so-called “Living off the Land” – to make an especially stealthy backdoor. POSHSPY's use of WMI to both store and persist the backdoor code makes it nearly invisible to anyone not familiar with the intricacies of WMI. Its use of a PowerShell payload means that only legitimate system processes are utilized and that the malicious code execution can only be identified through enhanced logging or in memory. The backdoor's infrequent beaconing, traffic obfuscation, extensive encryption and use of geographically local, legitimate websites for command and control (C2) make identification of its network traffic difficult. Every aspect of POSHSPY is efficient and covert. Mandiant initially identified an early variant of the POSHSPY backdoor deployed as PowerShell scripts during an incident response engagement in 2015. Later in that same engagement, the attacker updated the deployment of the backdoor to use WMI for storage and persistence. Mandiant has since identified POSHSPY in several other environments compromised by APT29 over the past two years. | |
Information | <https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html> <https://github.com/matthewdunwoody/POSHSPY> | |
MITRE ATT&CK | <https://attack.mitre.org/software/S0150/> | |
Malpedia | <https://malpedia.caad.fkie.fraunhofer.de/details/ps1.poshspy> |
Last change to this tool card: 13 May 2020
Download this tool card in JSON format
Changed | Name | Country | Observed | ||
APT groups | |||||
APT 29, Cozy Bear, The Dukes | 2008-Jun 2024 |
1 group listed (1 APT, 0 other, 0 unknown)
Digital Service Security Center Follow us on |
Report incidents |
|
+66 (0)2-123-1227 | ||
[email protected] |