Skip to content

S0145 POWERSOURCE

POWERSOURCE is a PowerShell backdoor that is a heavily obfuscated and modified version of the publicly available tool DNS_TXT_Pwnage. It was observed in February 2017 in spearphishing campaigns against personnel involved with United States Securities and Exchange Commission (SEC) filings at various organizations. The malware was delivered when macros were enabled by the victim and a VBS script was dropped. 2 1

Item Value
ID S0145
Associated Names DNSMessenger
Type MALWARE
Version 1.1
Created 31 May 2017
Last Modified 20 July 2022
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
DNSMessenger Based on similar descriptions of functionality, it appears S0145, as named by FireEye, is the same as the first stages of a backdoor named DNSMessenger by Cisco’s Talos Intelligence Group. However, FireEye appears to break DNSMessenger into two parts: S0145 and S0146. 1 2

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.004 DNS POWERSOURCE uses DNS TXT records for C2.21
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder POWERSOURCE achieves persistence by setting a Registry Run key, with the path depending on whether the victim account has user or administrator access.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell POWERSOURCE is a PowerShell backdoor.21
enterprise T1564 Hide Artifacts -
enterprise T1564.004 NTFS File Attributes If the victim is using PowerShell 3.0 or later, POWERSOURCE writes its decoded payload to an alternate data stream (ADS) named kernel32.dll that is saved in %PROGRAMDATA%\Windows\.1
enterprise T1105 Ingress Tool Transfer POWERSOURCE has been observed being used to download TEXTMATE and the Cobalt Strike Beacon payload onto victims.2
enterprise T1012 Query Registry POWERSOURCE queries Registry keys in preparation for setting Run keys to achieve persistence.1

Groups That Use This Software

ID Name References
G0046 FIN7 2

References