DustySky

DustySky is multi-stage malware written in .NET that has been used by Molerats since May 2015. [1] [2]

ID: S0062
Associated Software: NeD Worm

Type: MALWARE
Platforms: Windows

Version: 1.0

Techniques Used

DomainIDNameUse
EnterpriseT1008Fallback ChannelsDustySky has two hard-coded domains for C2 servers; if the first does not respond, it will try the second.[1]
EnterpriseT1083File and Directory DiscoveryDustySky scans the victim for files that contain certain keywords from a list that is obtained from the C2 as a text file. It also collects information about installed software.[1]
EnterpriseT1056Input CaptureDustySky contains a keylogger.[1]
EnterpriseT1027Obfuscated Files or InformationThe DustySky dropper uses a function to obfuscate the name of functions and other parts of the malware.[1]
EnterpriseT1057Process DiscoveryDustySky collects information about running processes from victims.[1]
EnterpriseT1060Registry Run Keys / Startup FolderDustySky achieves persistence by creating a Registry entry in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.[1]
EnterpriseT1105Remote File CopyDustySky searches for network drives and removable media and duplicates itself onto them.[1]
EnterpriseT1091Replication Through Removable MediaDustySky searches for removable media and duplicates itself onto it.[1]
EnterpriseT1063Security Software DiscoveryDustySky checks for the existence of anti-virus.[1]
EnterpriseT1071Standard Application Layer ProtocolDustySky has used both HTTP and HTTPS for C2.[1]
EnterpriseT1082System Information DiscoveryDustySky extracts basic information about the operating system.[1]
EnterpriseT1047Windows Management InstrumentationThe DustySky dropper uses Windows Management Instrumentation to extract information about the operating system and whether an anti-virus is active.[1]

Groups

Groups that use this software:

Molerats

References