JUST RELEASED: ATT&CK for Industrial Control Systems
SOFTWARE
SOFTWARE
1-9
A-B
C-D
E-F
G-H
I-J
K-L
M-N
O-P
Q-R
S-T
U-V
W-X
Y-Z
  1. Home
  2. Software
  3. TEXTMATE

TEXTMATE

TEXTMATE is a second-stage PowerShell backdoor that is memory-resident. It was observed being used along with POWERSOURCE in February 2017. [1]

ID: S0146
Associated Software: DNSMessenger
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 31 May 2017
Last Modified: 17 October 2018

Associated Software Descriptions

Name Description
DNSMessenger Based on similar descriptions of functionality, it appears S0146, as named by FireEye, is the same as Stage 4 of a backdoor named DNSMessenger by Cisco's Talos Intelligence Group. However, FireEye appears to break DNSMessenger into two parts: S0145 and S0146. [2] [1]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface

TEXTMATE executes cmd.exe to provide a reverse shell to adversaries.[1][2]
Enterprise T1071 Standard Application Layer Protocol

TEXTMATE uses DNS TXT records for C2.[1]

Groups That Use This Software

ID Name References
G0046 FIN7 [1]

References

  1. Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017.
  1. Brumaghin, E. and Grady, C.. (2017, March 2). Covert Channels and Poor Decisions: The Tale of DNSMessenger. Retrieved March 8, 2017.