Newly Discovered PowMix Botnet Hits Czech Workers Using Randomized C2 Traffic

Key Points:

• Main threat/vulnerability/incident: A newly discovered botnet named PowMix is actively targeting workers in the Czech Republic, employing sophisticated evasion techniques.
• Impact assessment and affected systems: PowMix facilitates remote access, reconnaissance, and remote code execution on compromised systems, using a multi-stage infection chain initiated by a malicious ZIP file delivered via phishing.
• Recommended actions or mitigations: Organizations should enhance email filtering to detect malicious attachments, monitor for unusual PowerShell activity, and implement network traffic analysis to identify randomized C2 communications.

Technical Details: PowMix utilizes randomized command-and-control (C2) beaconing intervals to evade detection and embeds encrypted data within C2 URLs. The attack leverages a Windows Shortcut (LNK) to launch a PowerShell loader that decrypts and executes the malware in memory.

MITRE ATT&CK Techniques:

• T1566.001 - Phishing: Spearphishing Attachment (Initial Access)
• T1059.001 - Command and Scripting Interpreter: PowerShell (Execution)
• T1547.001 - Boot or Logon Autostart Execution: Scheduled Task (Persistence)
• T1071.001 - Application Layer Protocol: Web Protocols (Command and Control)

IOCs Mentioned: None mentioned