Names | PowerPunch | |
Category | Malware | |
Type | Downloader, Loader | |
Description | (Microsoft) PowerPunch is executed from within PowerShell as a one-line command, encoded using Base64. These binaries also exhibit features that rely on data from the compromised host to inform encryption of the next stage. PowerPunch also provides an excellent example of this. The VolumeSerialNumber of the host serves as the basis for a multibyte XOR key. The key is applied to an executable payload downloaded directly from adversary infrastructure, allowing for an encryption key unique to the target host. Ultimately, a next-stage executable is remotely retrieved and dropped to disk prior to execution. | |
Information | <https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/> | |
MITRE ATT&CK | <https://attack.mitre.org/software/S0685/> |
Last change to this tool card: 30 December 2022
Download this tool card in JSON format
Changed | Name | Country | Observed | ||
APT groups | |||||
Gamaredon Group | 2013-Oct 2024 |
1 group listed (1 APT, 0 other, 0 unknown)
Digital Service Security Center Follow us on |
Report incidents |
|
+66 (0)2-123-1227 | ||
[email protected] |