Dust Storm

Dust Storm is a threat group that has targeted multiple industries in Japan, South Korea, the United States, Europe, and several Southeast Asian countries. [1]

ID: G0031
Aliases: Dust Storm
Version: 1.0

Alias Descriptions

NameDescription
Dust Storm[1]

Techniques Used

DomainIDNameUse
EnterpriseT1005Data from Local SystemDust Storm has used Android backdoors capable of exfiltrating specific files directly from the infected devices.[1]
EnterpriseT1083File and Directory DiscoveryDust Storm has used Android backdoors capable of enumerating specific files on the infected devices.[1]
EnterpriseT1027Obfuscated Files or InformationDust Storm has encoded payloads with a single-byte XOR, both skipping the key itself and zeroing in an attempt to avoid exposing the key.[1]

Software

IDNameTechniques
S0084Mis-TypeAccount Discovery, Command-Line Interface, Commonly Used Port, Create Account, Custom Command and Control Protocol, Data Encoding, Fallback Channels, Masquerading, Standard Application Layer Protocol, Standard Non-Application Layer Protocol, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery
S0083MisdatCommand-Line Interface, Commonly Used Port, Custom Command and Control Protocol, Data Encoding, File and Directory Discovery, File Deletion, Indicator Removal on Host, Masquerading, Remote File Copy, Standard Non-Application Layer Protocol, System Information Discovery, Timestomp
S0085S-TypeAccount Discovery, Commonly Used Port, Create Account, Data Encoding, Fallback Channels, Masquerading, Registry Run Keys / Startup Folder, Shortcut Modification, Standard Application Layer Protocol, System Information Discovery, System Service Discovery
S0086ZLibCommand-Line Interface, Data Compressed, File and Directory Discovery, Masquerading, New Service, Remote File Copy, Screen Capture, Standard Application Layer Protocol, System Information Discovery, System Service Discovery

References