Dust Storm

Dust Storm is a threat group that has targeted multiple industries in Japan, South Korea, the United States, Europe, and several Southeast Asian countries. [1]

ID: G0031
Version: 1.0
Created: 31 May 2017
Last Modified: 22 March 2019

Techniques Used

Domain ID Name Use
Enterprise T1005 Data from Local System

Dust Storm has used Android backdoors capable of exfiltrating specific files directly from the infected devices.[1]

Enterprise T1083 File and Directory Discovery

Dust Storm has used Android backdoors capable of enumerating specific files on the infected devices.[1]

Enterprise T1027 Obfuscated Files or Information

Dust Storm has encoded payloads with a single-byte XOR, both skipping the key itself and zeroing in an attempt to avoid exposing the key.[1]

Software

ID Name References Techniques
S0084 Mis-Type [1] Account Discovery: Local Account, Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: Windows Command Shell, Commonly Used Port, Create Account: Local Account, Data Encoding: Standard Encoding, Fallback Channels, Masquerading: Match Legitimate Name or Location, Non-Application Layer Protocol, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery
S0083 Misdat [1] Command and Scripting Interpreter: Windows Command Shell, Commonly Used Port, Data Encoding: Standard Encoding, File and Directory Discovery, Indicator Removal on Host, Indicator Removal on Host: Timestomp, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Masquerading: Match Legitimate Name or Location, Non-Application Layer Protocol, System Information Discovery
S0085 S-Type [1] Account Discovery: Local Account, Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Shortcut Modification, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Commonly Used Port, Create Account: Local Account, Data Encoding: Standard Encoding, Fallback Channels, Masquerading: Match Legitimate Name or Location, System Information Discovery, System Service Discovery
S0086 ZLib [1] Application Layer Protocol: Web Protocols, Archive Collected Data: Archive via Library, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, File and Directory Discovery, Ingress Tool Transfer, Masquerading: Match Legitimate Name or Location, Screen Capture, System Information Discovery, System Service Discovery

References