ThaiCERT    ETDA    MDES
Report
Search
Home > List all groups > List all tools > List all groups using tool POWBAT

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: POWBAT

NamesPOWBAT
CategoryMalware
TypeInfo stealer, Exfiltration, Tunneling
Description(FireEye) After the macro successfully creates the scheduled task, the dropped VBScript, update.vbs (Figure 5), will be launched every three minutes. This VBScript performs the following operations:

1. Leverages PowerShell to download content from the URI hxxp://go0gIe[.]com/sysupdate.aspx?req=xxx\dwn&m=d and saves it in the directory %PUBLIC%\Libraries\dn.
2. Uses PowerShell to download a BAT file from the URI hxxp://go0gIe[.]com/sysupdate.aspx?req=xxx\bat&m=d and saves it in the directory %PUBLIC%\Libraries\dn.
3. Executes the BAT file and stores the results in a file in the path %PUBLIC%\Libraries\up.
4. Uploads this file to the server by sending an HTTP POST request to the URI hxxp://go0gIe[.]com/sysupdate.aspx?req=xxx\upl&m=u.
5. Finally, it executes the PowerShell script dns.ps1, which is used for the purpose of data exfiltration using DNS.
Information<https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html>
<https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html>

Last change to this tool card: 20 April 2020

Download this tool card in JSON format

All groups using tool POWBAT

ChangedNameCountryObserved

APT groups

 Chafer, APT 39Iran2014-Sep 2020X
 OilRig, APT 34, Helix Kitten, ChryseneIran2014-Apr 2020X

2 groups listed (2 APT, 0 other, 0 unknown)

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key