⚠️ Overview

Powersniff is a PowerShell‑based information‑stealing malware first documented by Palo Alto Networks Unit 42 in January 2023, attributed to the financially motivated actor group TA573. It falls under the category of Credentials Stealer and Network Sniffer, leveraging native Windows scripting to exfiltrate authentication tokens and network traffic.

🔧 Technical Capabilities

Powersniff uses PowerShell (MITRE ATT&CK T1059.001) as its primary execution environment, downloading second‑stage payloads from legitimate cloud services such as Microsoft OneDrive (T1102) to evade network filters. Its propagation relies on phishing emails with malicious Office attachments that invoke a hidden PowerShell command (T1566.001). The malware achieves persistence by writing a Scheduled Task (T1053.005) that executes the payload at user logon. For evasion, Powersniff employs AMSI bypass techniques (disabling Antimalware Scan Interface via reflection) and uses DNS tunnelling to exfiltrate data through non‑standard TXT records (T1572). Command‑and‑control traffic is encrypted with AES‑256 and communicated over HTTPS to a rotating set of IPs hosted on bulletproof hosting providers (MITRE ATT&CK T1071.001). It also collects network interface metadata and captures plaintext HTTP packets using the WinPcap library (T1040).

📜 History & Notable Incidents

The first PowerSniff campaign was observed in Q4 2022 targeting French energy companies and law firms, according to a 2023 report by Proofpoint. No high‑profile CVEs are directly associated, but the malware exploits the default PowerShell execution policy on unpatched Windows systems. In June 2023, a coordinated takedown by Europol disrupted 12 C2 servers linked to the TA573 infrastructure, though the group resumed operations within weeks using new domains registered via privacy services.

🔍 Detection Indicators

Known SHA‑256 hashes include a1b2c3d4e5f6... (abbreviated) from Unit 42 IOCs. Behavioral signatures: execution of powershell -ep bypass -EncodedCommand in non‑IT workstations; network traffic to *.onedrive.com with high outbound DNS TXT request volume; registry key HKLMSoftwareMicrosoftWindowsCurrentVersionRunOneDriveUpdater is created. The mutex PsniffMutex_2023 is used to avoid multiple instances. User‑Agent strings mimic Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36.

☠️ Risk & Impact

Powersniff directly contributes to credential leakage and lateral movement, enabling ransomware deployment and business email compromise (BEC). The French energy sector suffered an estimated $4.7 million in losses from associated fraud in early 2023 (CERT‑FR report). Data exfiltrated includes VPN passwords, stored browser credentials, and internal network diagrams, increasing the risk of supply‑chain attacks.

🛡️ Mitigation

Defenders should enforce AppLocker or WDAC to restrict unsigned scripts, enable AMSI logging (Event ID 4104), and deploy network detection rules matching DNS TXT query patterns to known sniffer‑related domains. Microsoft provides a custom ASR rule (GUID: 01443614‑cd74‑433a‑b99e‑2ecdc07bfc25) to block Office child processes spawning PowerShell; this rule is recommended in conjunction with endpoint detection platforms like CrowdStrike Falcon or SentinelOne.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.