POWERSOURCE - S0145 (17e919aa-4a49-445c-b103-dbb8df9e7351)

POWERSOURCE is a PowerShell backdoor that is a heavily obfuscated and modified version of the publicly available tool DNS_TXT_Pwnage. It was observed in February 2017 in spearphishing campaigns against personnel involved with United States Securities and Exchange Commission (SEC) filings at various organizations. The malware was delivered when macros were enabled by the victim and a VBS script was dropped. (Citation: FireEye FIN7 March 2017) (Citation: Cisco DNSMessenger March 2017)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
DNSMessenger (b376580e-aba1-4ac9-9c2d-2df429efecf6)	Malpedia	POWERSOURCE - S0145 (17e919aa-4a49-445c-b103-dbb8df9e7351)	Malware	1
POWERSOURCE - S0145 (17e919aa-4a49-445c-b103-dbb8df9e7351)	Malware	Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	1
POWERSOURCE - S0145 (17e919aa-4a49-445c-b103-dbb8df9e7351)	Malware	NTFS File Attributes - T1564.004 (f2857333-11d4-45bf-b064-2c28d8525be5)	Attack Pattern	1
DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72)	Attack Pattern	POWERSOURCE - S0145 (17e919aa-4a49-445c-b103-dbb8df9e7351)	Malware	1
POWERSOURCE - S0145 (17e919aa-4a49-445c-b103-dbb8df9e7351)	Malware	PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	1
POWERSOURCE - S0145 (17e919aa-4a49-445c-b103-dbb8df9e7351)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	1
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	POWERSOURCE - S0145 (17e919aa-4a49-445c-b103-dbb8df9e7351)	Malware	1
DNSMessenger (ee8ccb36-2596-43a3-a044-b8721dbeb2ab)	RAT	POWERSOURCE - S0145 (17e919aa-4a49-445c-b103-dbb8df9e7351)	Malware	1
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	NTFS File Attributes - T1564.004 (f2857333-11d4-45bf-b064-2c28d8525be5)	Attack Pattern	2
DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72)	Attack Pattern	Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	2
DNSMessenger (b376580e-aba1-4ac9-9c2d-2df429efecf6)	Malpedia	DNSMessenger (ee8ccb36-2596-43a3-a044-b8721dbeb2ab)	RAT	2
DNSMessenger (ee8ccb36-2596-43a3-a044-b8721dbeb2ab)	RAT	TEXTMATE - S0146 (4f6aa78c-c3d4-4883-9840-96ca2f5d6d47)	Malware	2
DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72)	Attack Pattern	TEXTMATE - S0146 (4f6aa78c-c3d4-4883-9840-96ca2f5d6d47)	Malware	3
DNSMessenger (b376580e-aba1-4ac9-9c2d-2df429efecf6)	Malpedia	TEXTMATE - S0146 (4f6aa78c-c3d4-4883-9840-96ca2f5d6d47)	Malware	3
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	TEXTMATE - S0146 (4f6aa78c-c3d4-4883-9840-96ca2f5d6d47)	Malware	3
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	4