POWERSOURCE - S0145 (17e919aa-4a49-445c-b103-dbb8df9e7351)

POWERSOURCE is a PowerShell backdoor that is a heavily obfuscated and modified version of the publicly available tool DNS_TXT_Pwnage. It was observed in February 2017 in spearphishing campaigns against personnel involved with United States Securities and Exchange Commission (SEC) filings at various organizations. The malware was delivered when macros were enabled by the victim and a VBS script was dropped. (Citation: FireEye FIN7 March 2017) (Citation: Cisco DNSMessenger March 2017)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	POWERSOURCE - S0145 (17e919aa-4a49-445c-b103-dbb8df9e7351)	Malware	1
DNSMessenger (b376580e-aba1-4ac9-9c2d-2df429efecf6)	Malpedia	POWERSOURCE - S0145 (17e919aa-4a49-445c-b103-dbb8df9e7351)	Malware	1
NTFS File Attributes - T1564.004 (f2857333-11d4-45bf-b064-2c28d8525be5)	Attack Pattern	POWERSOURCE - S0145 (17e919aa-4a49-445c-b103-dbb8df9e7351)	Malware	1
POWERSOURCE - S0145 (17e919aa-4a49-445c-b103-dbb8df9e7351)	Malware	DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72)	Attack Pattern	1
POWERSOURCE - S0145 (17e919aa-4a49-445c-b103-dbb8df9e7351)	Malware	DNSMessenger (ee8ccb36-2596-43a3-a044-b8721dbeb2ab)	RAT	1
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	POWERSOURCE - S0145 (17e919aa-4a49-445c-b103-dbb8df9e7351)	Malware	1
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	POWERSOURCE - S0145 (17e919aa-4a49-445c-b103-dbb8df9e7351)	Malware	1
POWERSOURCE - S0145 (17e919aa-4a49-445c-b103-dbb8df9e7351)	Malware	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	1
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	NTFS File Attributes - T1564.004 (f2857333-11d4-45bf-b064-2c28d8525be5)	Attack Pattern	2
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72)	Attack Pattern	2
DNSMessenger (b376580e-aba1-4ac9-9c2d-2df429efecf6)	Malpedia	DNSMessenger (ee8ccb36-2596-43a3-a044-b8721dbeb2ab)	RAT	2
TEXTMATE - S0146 (4f6aa78c-c3d4-4883-9840-96ca2f5d6d47)	Malware	DNSMessenger (ee8ccb36-2596-43a3-a044-b8721dbeb2ab)	RAT	2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	2
DNSMessenger (b376580e-aba1-4ac9-9c2d-2df429efecf6)	Malpedia	TEXTMATE - S0146 (4f6aa78c-c3d4-4883-9840-96ca2f5d6d47)	Malware	3
TEXTMATE - S0146 (4f6aa78c-c3d4-4883-9840-96ca2f5d6d47)	Malware	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	3
TEXTMATE - S0146 (4f6aa78c-c3d4-4883-9840-96ca2f5d6d47)	Malware	DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72)	Attack Pattern	3
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	4