{
    "type": "bundle",
    "id": "bundle--bdb0703f-8ba6-4be5-91f6-0612837e6013",
    "spec_version": "2.0",
    "objects": [
        {
            "labels": [
                "malware"
            ],
            "x_mitre_platforms": [
                "Windows"
            ],
            "x_mitre_domains": [
                "enterprise-attack"
            ],
            "x_mitre_aliases": [
                "POWERSOURCE",
                "DNSMessenger"
            ],
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
            "type": "malware",
            "id": "malware--17e919aa-4a49-445c-b103-dbb8df9e7351",
            "created": "2017-05-31T21:33:24.739Z",
            "x_mitre_version": "1.1",
            "external_references": [
                {
                    "source_name": "mitre-attack",
                    "external_id": "S0145",
                    "url": "https://attack.mitre.org/software/S0145"
                },
                {
                    "source_name": "POWERSOURCE",
                    "description": "(Citation: FireEye FIN7 March 2017)"
                },
                {
                    "source_name": "DNSMessenger",
                    "description": "Based on similar descriptions of functionality, it appears S0145, as named by FireEye, is the same as the first stages of a backdoor named DNSMessenger by Cisco's Talos Intelligence Group. However, FireEye appears to break DNSMessenger into two parts: S0145 and S0146. (Citation: Cisco DNSMessenger March 2017) (Citation: FireEye FIN7 March 2017)"
                },
                {
                    "source_name": "Cisco DNSMessenger March 2017",
                    "url": "http://blog.talosintelligence.com/2017/03/dnsmessenger.html",
                    "description": "Brumaghin, E. and Grady, C.. (2017, March 2). Covert Channels and Poor Decisions: The Tale of DNSMessenger. Retrieved March 8, 2017."
                },
                {
                    "source_name": "FireEye FIN7 March 2017",
                    "url": "https://web.archive.org/web/20180808125108/https:/www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html",
                    "description": "Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017."
                }
            ],
            "x_mitre_deprecated": false,
            "revoked": false,
            "description": "[POWERSOURCE](https://attack.mitre.org/software/S0145) is a PowerShell backdoor that is a heavily obfuscated and modified version of the publicly available tool DNS_TXT_Pwnage. It was observed in February 2017 in spearphishing campaigns against personnel involved with United States Securities and Exchange Commission (SEC) filings at various organizations. The malware was delivered when macros were enabled by the victim and a VBS script was dropped. (Citation: FireEye FIN7 March 2017) (Citation: Cisco DNSMessenger March 2017)",
            "modified": "2022-07-20T20:06:44.707Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "name": "POWERSOURCE",
            "x_mitre_attack_spec_version": "2.1.0",
            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
        }
    ]
}