Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols | |
Enterprise | T1560 | .001 | Archive Collected Data: Archive via Utility |
DustySky can compress files via RAR while staging data to be exfiltrated.[3] |
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
DustySky achieves persistence by creating a Registry entry in |
Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
DustySky created folders in temp directories to host collected files before exfiltration.[3] |
Enterprise | T1041 | Exfiltration Over C2 Channel | ||
Enterprise | T1008 | Fallback Channels |
DustySky has two hard-coded domains for C2 servers; if the first does not respond, it will try the second.[1] |
|
Enterprise | T1083 | File and Directory Discovery |
DustySky scans the victim for files that contain certain keywords and document types including PDF, DOC, DOCX, XLS, and XLSX, from a list that is obtained from the C2 as a text file. It can also identify logical drives for the infected machine.[1][3] |
|
Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
DustySky can delete files it creates from the infected system.[3] |
Enterprise | T1056 | .001 | Input Capture: Keylogging | |
Enterprise | T1570 | Lateral Tool Transfer |
DustySky searches for network drives and removable media and duplicates itself onto them.[1] |
|
Enterprise | T1027 | Obfuscated Files or Information |
The DustySky dropper uses a function to obfuscate the name of functions and other parts of the malware.[1] |
|
Enterprise | T1120 | Peripheral Device Discovery | ||
Enterprise | T1057 | Process Discovery |
DustySky collects information about running processes from victims.[1][3] |
|
Enterprise | T1091 | Replication Through Removable Media |
DustySky searches for removable media and duplicates itself onto it.[1] |
|
Enterprise | T1113 | Screen Capture | ||
Enterprise | T1518 | Software Discovery |
DustySky lists all installed software for the infected machine.[3] |
|
.001 | Security Software Discovery | |||
Enterprise | T1082 | System Information Discovery |
DustySky extracts basic information about the operating system.[1] |
|
Enterprise | T1047 | Windows Management Instrumentation |
The DustySky dropper uses Windows Management Instrumentation to extract information about the operating system and whether an anti-virus is active.[1] |