Dust Storm

Dust Storm is a threat group that has targeted multiple industries in Japan, South Korea, the United States, Europe, and several Southeast Asian countries. [1]

ID: G0031
Version: 1.0

Techniques Used

DomainIDNameUse
EnterpriseT1005Data from Local SystemDust Storm has used Android backdoors capable of exfiltrating specific files directly from the infected devices.[1]
EnterpriseT1083File and Directory DiscoveryDust Storm has used Android backdoors capable of enumerating specific files on the infected devices.[1]
EnterpriseT1027Obfuscated Files or InformationDust Storm has encoded payloads with a single-byte XOR, both skipping the key itself and zeroing in an attempt to avoid exposing the key.[1]

Software

IDNameReferencesTechniques
S0084Mis-Type[1]Account Discovery, Command-Line Interface, Commonly Used Port, Create Account, Custom Command and Control Protocol, Data Encoding, Fallback Channels, Masquerading, Standard Application Layer Protocol, Standard Non-Application Layer Protocol, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery
S0083Misdat[1]Command-Line Interface, Commonly Used Port, Custom Command and Control Protocol, Data Encoding, File and Directory Discovery, File Deletion, Indicator Removal on Host, Masquerading, Remote File Copy, Standard Non-Application Layer Protocol, System Information Discovery, Timestomp
S0085S-Type[1]Account Discovery, Commonly Used Port, Create Account, Data Encoding, Fallback Channels, Masquerading, Registry Run Keys / Startup Folder, Shortcut Modification, Standard Application Layer Protocol, System Information Discovery, System Service Discovery
S0086ZLib[1]Command-Line Interface, Data Compressed, File and Directory Discovery, Masquerading, New Service, Remote File Copy, Screen Capture, Standard Application Layer Protocol, System Information Discovery, System Service Discovery

References