S0146 TEXTMATE

TEXTMATE is a second-stage PowerShell backdoor that is memory-resident. It was observed being used along with POWERSOURCE in February 2017. ²

Associated Software Descriptions

Name	Description
DNSMessenger	Based on similar descriptions of functionality, it appears S0146, as named by FireEye, is the same as Stage 4 of a backdoor named DNSMessenger by Cisco’s Talos Intelligence Group. However, FireEye appears to break DNSMessenger into two parts: S0145 and S0146. ¹ ²

Domain	ID	Name	Use
enterprise	T1071	Application Layer Protocol	-
enterprise	T1071.004	DNS	TEXTMATE uses DNS TXT records for C2.²
enterprise	T1059	Command and Scripting Interpreter	-
enterprise	T1059.003	Windows Command Shell	TEXTMATE executes cmd.exe to provide a reverse shell to adversaries.²¹

ID	Name	References
G0046	FIN7	²