PowMix botnet targets Czech workforce

Key Points:

• The PowMix botnet targets Czech organizations through a phishing campaign, utilizing a PowerShell loader to execute malicious payloads and evade detection.
• The botnet employs randomized command-and-control (C2) beaconing and disguises its traffic as legitimate REST API calls, impacting various sectors including HR, legal, and recruitment.
• Recommended actions include monitoring for suspicious PowerShell activity, implementing endpoint detection solutions, and blocking known IOCs associated with PowMix.

Technical Details: The PowMix botnet uses a PowerShell loader that bypasses AMSI to execute its payload directly in memory. It dynamically updates its C2 domain and utilizes a unique XOR encryption method for communication.

MITRE ATT&CK Techniques:

• T1566.001 - Phishing: Spearphishing Attachment (Initial Access)
• T1203 - User Execution (Execution)
• T1059.001 - Command and Scripting Interpreter: PowerShell (Execution)
• T1059.003 - Command and Scripting Interpreter: Windows Command Shell (Execution)
• T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys (Persistence)
• T1071.001 - Application Layer Protocol: Web Protocols (Command and Control)

IOCs Mentioned:

• Lnk.Trojan.PowMix
• Txt.Trojan.PowMix
• Win.Trojan.PowMix
• Snort SIDs: 66118