POWBAT
Description
(FireEye) After the macro successfully creates the scheduled task, the dropped VBScript, update.vbs (Figure 5), will be launched every three minutes. This VBScript performs the following operations:
- Leverages PowerShell to download content from the URI hxxp://go0gIe[.]com/sysupdate.aspx?req=xxx\dwn&m=d and saves it in the directory %PUBLIC%\Libraries\dn.
- Uses PowerShell to download a BAT file from the URI hxxp://go0gIe[.]com/sysupdate.aspx?req=xxx\bat&m=d and saves it in the directory %PUBLIC%\Libraries\dn.
- Executes the BAT file and stores the results in a file in the path %PUBLIC%\Libraries\up.
- Uploads this file to the server by sending an HTTP POST request to the URI hxxp://go0gIe[.]com/sysupdate.aspx?req=xxx\upl&m=u.
- Finally, it executes the PowerShell script dns.ps1, which is used for the purpose of data exfiltration using DNS.
Names
| Name |
|---|
| POWBAT |
Category
Malware
Type
- Info stealer
- Exfiltration
- Tunneling
Information
- https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html
- https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html
Other Information
Uuid
e87032a7-d42b-4d9b-a20e-9380e1c51cd7
Last Card Change
2020-04-20