1. Home
  2. Software
  3. TEXTMATE

TEXTMATE

TEXTMATE is a second-stage PowerShell backdoor that is memory-resident. It was observed being used along with POWERSOURCE in February 2017. [1]

ID: S0146
Associated Software: DNSMessenger
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 31 May 2017
Last Modified: 30 March 2020
Version Permalink

Associated Software Descriptions

Name Description
DNSMessenger

Based on similar descriptions of functionality, it appears S0146, as named by FireEye, is the same as Stage 4 of a backdoor named DNSMessenger by Cisco's Talos Intelligence Group. However, FireEye appears to break DNSMessenger into two parts: S0145 and S0146. [2] [1]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1071 .004 Application Layer Protocol: DNS

TEXTMATE uses DNS TXT records for C2.[1]
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

TEXTMATE executes cmd.exe to provide a reverse shell to adversaries.[1][2]

Groups That Use This Software

ID Name References
G0046 FIN7

[1]

References

  1. Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017.
  1. Brumaghin, E. and Grady, C.. (2017, March 2). Covert Channels and Poor Decisions: The Tale of DNSMessenger. Retrieved March 8, 2017.