Home Malware Programs Malware PowerStallion

PowerStallion

Posted: May 31, 2019

PowerStallion is one of the advanced tools used by the Turla group, a team of hackers whose activity dates back to 2008, and have been involved in attacks against high-profile targets such as the French and US military, as well as the German Foreign Office. The purpose of PowerStallion is to serve as a silent backdoor that can execute PowerShell scripts, and therefore grant the attacker’s access to some of the infected host’s features.

Researchers believe that the PowerStallion is not Turla’s primary weapon of choice and, instead, it is often used as a ‘backup backdoor’ in case the main backdoors like Gazer and Carbon fail for some reason. Despite being used as a backup, the PowerStallion backdoor still packs some interesting features such as the ability to communicate with a Command & Control server hosted on the free & public Microsoft OneDrive service. What is even more beguiling, is that in one of the analyzed samples of the PowerStallion backdoor, the email address used to connect to the server was named after one of the employees of the targeted company – a sign that Turla’s authors are likely to perform reconnaissance operations before launching their attack.

It appears that the Turla members are using the PowerStallion for a variety of tasks, but usually focus on monitoring the activity of anti-malware software or dropping ComRAT 4.

Despite using innovative attack methods and hacking tools, the Turla group is not unstoppable – taking advantage of the protection services offered by modern anti-malware software should be enough to disrupt these attacks.

Loading...