Power Loader

Power Loader is modular code sold in the cybercrime market used as a downloader in malware families such as Carberp, Redyms and Gapz. [1] [2]

ID: S0177
Associated Software: Win32/Agent.UAW
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 16 January 2018
Last Modified: 17 October 2018

Techniques Used

Domain ID Name Use
Enterprise T1055 .011 Process Injection: Extra Window Memory Injection

Power Loader overwrites Explorer’s Shell_TrayWnd extra window memory to redirect execution to a NTDLL function that is abused to assemble and execute a return-oriented programming (ROP) chain and create a malicious thread within Explorer.exe.[1][2]

References