PowerTrick

Description

(SentinelLabs) SentinelLabs research into this PowerShell-based backdoor called “PowerTrick” traces back to the initial infection, we assess with high confidence at least some of the initial PowerTrick infections are being kicked off as a PowerShell task through normal TrickBot infections utilizing a repurposed backconnect module that can accept commands to execute called “NewBCtest”.

After the initial stager for the “PowerTrick backdoor” is kicked off, then the actor issues the first command which is to download a larger backdoor. This process is similar to what you see in Powershell Empire with its stager component.

PowerTrick is designed to execute commands and return the results in Base64 format, the system uses a generated UUID based on computer information as a “botID.”

Names

Name
PowerTrick

Type

Backdoor

Information

https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/
https://labs.sentinelone.com/inside-a-trickbot-cobaltstrike-attack-server/

Other Information

Uuid

48fd4d67-710f-4f16-86b8-de497183ee53

Last Card Change

2020-06-24

Threat Intelligence Garden

Explorer

PowerTrick

PowerTrick

Description

Names

Category

Type

Information

Other Information

Uuid

Last Card Change

Graph View

Table of Contents

Backlinks