ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Report
Search
Home > List all groups > List all tools > List all groups using tool PowerPunch

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: PowerPunch

NamesPowerPunch
CategoryMalware
TypeDownloader, Loader
Description(Microsoft) PowerPunch is executed from within PowerShell as a one-line command, encoded using Base64. These binaries also exhibit features that rely on data from the compromised host to inform encryption of the next stage. PowerPunch also provides an excellent example of this. The VolumeSerialNumber of the host serves as the basis for a multibyte XOR key. The key is applied to an executable payload downloaded directly from adversary infrastructure, allowing for an encryption key unique to the target host. Ultimately, a next-stage executable is remotely retrieved and dropped to disk prior to execution.
Information<https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/>
MITRE ATT&CK<https://attack.mitre.org/software/S0685/>

Last change to this tool card: 30 December 2022

Download this tool card in JSON format

All groups using tool PowerPunch

ChangedNameCountryObserved

APT groups

XGamaredon GroupRussia2013-Oct 2024 HOTX

1 group listed (1 APT, 0 other, 0 unknown)

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]