Dust Storm

Dust Storm is a threat group that has targeted multiple industries in Japan, South Korea, the United States, Europe, and several Southeast Asian countries. [1]

ID: G0031
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1005 Data from Local System

Dust Storm has used Android backdoors capable of exfiltrating specific files directly from the infected devices.[1]

Enterprise T1083 File and Directory Discovery

Dust Storm has used Android backdoors capable of enumerating specific files on the infected devices.[1]

Enterprise T1027 Obfuscated Files or Information

Dust Storm has encoded payloads with a single-byte XOR, both skipping the key itself and zeroing in an attempt to avoid exposing the key.[1]

Software

ID Name References Techniques
S0084 Mis-Type [1] Account Discovery, Command-Line Interface, Commonly Used Port, Create Account, Custom Command and Control Protocol, Data Encoding, Fallback Channels, Masquerading, Standard Application Layer Protocol, Standard Non-Application Layer Protocol, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery
S0083 Misdat [1] Command-Line Interface, Commonly Used Port, Custom Command and Control Protocol, Data Encoding, File and Directory Discovery, File Deletion, Indicator Removal on Host, Masquerading, Remote File Copy, Standard Non-Application Layer Protocol, System Information Discovery, Timestomp
S0085 S-Type [1] Account Discovery, Commonly Used Port, Create Account, Data Encoding, Fallback Channels, Masquerading, Registry Run Keys / Startup Folder, Shortcut Modification, Standard Application Layer Protocol, System Information Discovery, System Service Discovery
S0086 ZLib [1] Command-Line Interface, Data Compressed, File and Directory Discovery, Masquerading, New Service, Remote File Copy, Screen Capture, Standard Application Layer Protocol, System Information Discovery, System Service Discovery

References