1. Home
  2. Software
  3. PowGoop

PowGoop

PowGoop is a loader that consists of a DLL loader and a PowerShell-based downloader; it has been used by MuddyWater as their main loader.[1][2]

ID: S1046
Type: MALWARE
Platforms: Windows
Contributors: Ozer Sarilar, @ozersarilar, STM
Version: 1.0
Created: 29 September 2022
Last Modified: 17 October 2022
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

PowGoop can send HTTP GET requests to malicious servers.[2]
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

PowGoop has the ability to use PowerShell scripts to execute commands.[1]
Enterprise T1132 .002 Data Encoding: Non-Standard Encoding

PowGoop can use a modified Base64 encoding mechanism to send data to and from the C2 server.[2]
Enterprise T1140 Deobfuscate/Decode Files or Information

PowGoop can decrypt PowerShell scripts for execution.[1][2]
Enterprise T1573 Encrypted Channel

PowGoop can receive encrypted commands from C2.[1]
Enterprise T1574 .002 Hijack Execution Flow: DLL Side-Loading

PowGoop can side-load Goopdate.dll into GoogleUpdate.exe.[1][2]
Enterprise T1036 Masquerading

PowGoop has disguised a PowerShell script as a .dat file (goopdate.dat).[1]
.005 Match Legitimate Name or Location

PowGoop has used a DLL named Goopdate.dll to impersonate a legitimate Google update file.[1]

Groups That Use This Software

ID Name References
G0069 MuddyWater

[1]

References

  1. FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022.
  1. Cyber National Mission Force. (2022, January 12). Iranian intel cyber suite of malware uses open source tools. Retrieved September 30, 2022.