Mis-Type
Mis-Type is a backdoor hybrid that was used by Dust Storm in 2012. [1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1087 | .001 | Account Discovery: Local Account |
Mis-Type may create a file containing the results of the command |
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols | |
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
Mis-Type uses cmd.exe to run commands for enumerating the host.[1] |
| Enterprise | T1136 | .001 | Create Account: Local Account |
Mis-Type may create a temporary user on the system named "Lost_{{Unique Identifier}}."[1] |
| Enterprise | T1132 | .001 | Data Encoding: Standard Encoding | |
| Enterprise | T1008 | Fallback Channels |
Mis-Type first attempts to use a Base64-encoded network protocol over a raw TCP socket for C2, and if that method fails, falls back to a secondary HTTP-based protocol to communicate to an alternate C2 server.[1] |
|
| Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
Mis-Type saves itself as a file named msdtc.exe, which is also the name of the legitimate Microsoft Distributed Transaction Coordinator service binary.[1][2] |
| Enterprise | T1095 | Non-Application Layer Protocol |
Mis-Type network traffic can communicate over a raw socket.[1] |
|
| Enterprise | T1082 | System Information Discovery |
The initial beacon packet for Mis-Type contains the operating system version and file system of the victim.[1] |
|
| Enterprise | T1016 | System Network Configuration Discovery |
Mis-Type may create a file containing the results of the command |
|
| Enterprise | T1033 | System Owner/User Discovery |
Mis-Type runs tests to determine the privilege level of the compromised user.[1] |
|
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0031 | Dust Storm |