Malware: POSHSPY

Description

[POSHSPY](https://attack.mitre.org/software/S0150) is a backdoor that has been used by [APT29](https://attack.mitre.org/groups/G0016) since at least 2015. It appears to be used as a secondary backdoor used if the actors lost access to their primary backdoors. (Citation: FireEye POSHSPY April 2017)

External References

• mitre-attack
• FireEye POSHSPY April 2017

Techniques Used by This Malware

• T1027 — Obfuscated Files or Information
• T1030 — Data Transfer Size Limits
• T1059.001 — PowerShell
• T1070.006 — Timestomp
• T1105 — Ingress Tool Transfer
• T1546.003 — Windows Management Instrumentation Event Subscription
• T1568.002 — Domain Generation Algorithms
• T1573.002 — Asymmetric Cryptography

APT Groups Using This Malware

• APT29