Software: POWERSOURCE, DNSMessenger

From ATT&CK
Jump to: navigation, search
POWERSOURCE, DNSMessenger
Software
ID S0145
Aliases POWERSOURCE, DNSMessenger
Type Malware

POWERSOURCE is a PowerShell backdoor that is a heavily obfuscated and modified version of the publicly available tool DNS_TXT_Pwnage. It was observed in February 2017 in spearphishing campaigns against personnel involved with United States Securities and Exchange Commission (SEC) filings at various organizations. The malware was delivered when macros were enabled by the victim and a VBS script was dropped.12

Alias Descriptions

  • POWERSOURCE - 1
  • DNSMessenger - Based on similar descriptions of functionality, it appears POWERSOURCE, as named by FireEye, is the same as the first stages of a backdoor named DNSMessenger by Cisco's Talos Intelligence Group. However, FireEye appears to break DNSMessenger into two parts: POWERSOURCE and TEXTMATE.21

Techniques Used

  • Remote File Copy - POWERSOURCE has been observed being used to download TEXTMATE and the Cobalt Strike Beacon payload onto victims.1
  • Query Registry - POWERSOURCE queries Registry keys in preparation for setting Run keys to achieve persistence.2
  • Registry Run Keys / Start Folder - POWERSOURCE achieves persistence by setting a Registry Run key, with the path depending on whether the victim account has user or administrator access.2
  • Obfuscated Files or Information - If the victim is using PowerShell 3.0 or later, POWERSOURCE writes its decoded payload to an Alternate Data Stream (ADS) named kernel32.dll that is saved in %PROGRAMDATA%\Windows\.2

Groups

The following groups use this software: