1. Home
  2. Software
  3. POSHSPY

POSHSPY

POSHSPY is a backdoor that has been used by APT29 since at least 2015. It appears to be used as a secondary backdoor used if the actors lost access to their primary backdoors. [1]

ID: S0150
Type: MALWARE
Platforms: Windows
Version: 1.2
Created: 14 December 2017
Last Modified: 30 March 2020
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

POSHSPY uses PowerShell to execute various commands, one to execute its payload.[1]
Enterprise T1030 Data Transfer Size Limits

POSHSPY uploads data in 2048-byte chunks.[1]
Enterprise T1568 .002 Dynamic Resolution: Domain Generation Algorithms

POSHSPY uses a DGA to derive command and control URLs from a word list.[1]
Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

POSHSPY encrypts C2 traffic with AES and RSA.[1]
Enterprise T1546 .003 Event Triggered Execution: Windows Management Instrumentation Event Subscription

POSHSPY uses a WMI event subscription to establish persistence.[1]
Enterprise T1070 .006 Indicator Removal on Host: Timestomp

POSHSPY modifies timestamps of all downloaded executables to match a randomly selected file created prior to 2013.[1]
Enterprise T1105 Ingress Tool Transfer

POSHSPY downloads and executes additional PowerShell code and Windows binaries.[1]
Enterprise T1027 Obfuscated Files or Information

POSHSPY appends a file signature header (randomly selected from six file types) to encrypted data prior to upload or download.[1]

Groups That Use This Software

ID Name References
G0016 APT29

[1]

References

  1. Dunwoody, M.. (2017, April 3). Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY). Retrieved April 5, 2017.