Skip to content

Hide Navigation Hide TOC

POWERSOURCE - S0145 (17e919aa-4a49-445c-b103-dbb8df9e7351)

POWERSOURCE is a PowerShell backdoor that is a heavily obfuscated and modified version of the publicly available tool DNS_TXT_Pwnage. It was observed in February 2017 in spearphishing campaigns against personnel involved with United States Securities and Exchange Commission (SEC) filings at various organizations. The malware was delivered when macros were enabled by the victim and a VBS script was dropped. (Citation: FireEye FIN7 March 2017) (Citation: Cisco DNSMessenger March 2017)

Cluster A Galaxy A Cluster B Galaxy B Level
POWERSOURCE - S0145 (17e919aa-4a49-445c-b103-dbb8df9e7351) Malware NTFS File Attributes - T1564.004 (f2857333-11d4-45bf-b064-2c28d8525be5) Attack Pattern 1
POWERSOURCE - S0145 (17e919aa-4a49-445c-b103-dbb8df9e7351) Malware DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72) Attack Pattern 1
POWERSOURCE - S0145 (17e919aa-4a49-445c-b103-dbb8df9e7351) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 1
POWERSOURCE - S0145 (17e919aa-4a49-445c-b103-dbb8df9e7351) Malware Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 1
POWERSOURCE - S0145 (17e919aa-4a49-445c-b103-dbb8df9e7351) Malware PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 1
POWERSOURCE - S0145 (17e919aa-4a49-445c-b103-dbb8df9e7351) Malware DNSMessenger (b376580e-aba1-4ac9-9c2d-2df429efecf6) Malpedia 1
POWERSOURCE - S0145 (17e919aa-4a49-445c-b103-dbb8df9e7351) Malware DNSMessenger (ee8ccb36-2596-43a3-a044-b8721dbeb2ab) RAT 1
POWERSOURCE - S0145 (17e919aa-4a49-445c-b103-dbb8df9e7351) Malware Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern 1
NTFS File Attributes - T1564.004 (f2857333-11d4-45bf-b064-2c28d8525be5) Attack Pattern Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern 2
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72) Attack Pattern 2
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
TEXTMATE - S0146 (4f6aa78c-c3d4-4883-9840-96ca2f5d6d47) Malware DNSMessenger (ee8ccb36-2596-43a3-a044-b8721dbeb2ab) RAT 2
DNSMessenger (b376580e-aba1-4ac9-9c2d-2df429efecf6) Malpedia DNSMessenger (ee8ccb36-2596-43a3-a044-b8721dbeb2ab) RAT 2
TEXTMATE - S0146 (4f6aa78c-c3d4-4883-9840-96ca2f5d6d47) Malware Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 3
TEXTMATE - S0146 (4f6aa78c-c3d4-4883-9840-96ca2f5d6d47) Malware DNSMessenger (b376580e-aba1-4ac9-9c2d-2df429efecf6) Malpedia 3
TEXTMATE - S0146 (4f6aa78c-c3d4-4883-9840-96ca2f5d6d47) Malware DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72) Attack Pattern 3
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 4