DustySky

DustySky is multi-stage malware written in .NET that has been used by Molerats since May 2015. [1] [2][3]

ID: S0062
Associated Software: NeD Worm
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 31 May 2017
Last Modified: 14 May 2020

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

DustySky has used both HTTP and HTTPS for C2.[1]

Enterprise T1560 .001 Archive Collected Data: Archive via Utility

DustySky can compress files via RAR while staging data to be exfiltrated.[3]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

DustySky achieves persistence by creating a Registry entry in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.[1]

Enterprise T1074 .001 Data Staged: Local Data Staging

DustySky created folders in temp directories to host collected files before exfiltration.[3]

Enterprise T1041 Exfiltration Over C2 Channel

DustySky has exfiltrated data to the C2 server.[3]

Enterprise T1008 Fallback Channels

DustySky has two hard-coded domains for C2 servers; if the first does not respond, it will try the second.[1]

Enterprise T1083 File and Directory Discovery

DustySky scans the victim for files that contain certain keywords and document types including PDF, DOC, DOCX, XLS, and XLSX, from a list that is obtained from the C2 as a text file. It can also identify logical drives for the infected machine.[1][3]

Enterprise T1070 .004 Indicator Removal on Host: File Deletion

DustySky can delete files it creates from the infected system.[3]

Enterprise T1056 .001 Input Capture: Keylogging

DustySky contains a keylogger.[1]

Enterprise T1570 Lateral Tool Transfer

DustySky searches for network drives and removable media and duplicates itself onto them.[1]

Enterprise T1027 Obfuscated Files or Information

The DustySky dropper uses a function to obfuscate the name of functions and other parts of the malware.[1]

Enterprise T1120 Peripheral Device Discovery

DustySky can detect connected USB devices.[3]

Enterprise T1057 Process Discovery

DustySky collects information about running processes from victims.[1][3]

Enterprise T1091 Replication Through Removable Media

DustySky searches for removable media and duplicates itself onto it.[1]

Enterprise T1113 Screen Capture

DustySky captures PNG screenshots of the main screen.[3]

Enterprise T1518 Software Discovery

DustySky lists all installed software for the infected machine.[3]

.001 Security Software Discovery

DustySky checks for the existence of anti-virus.[1]

Enterprise T1082 System Information Discovery

DustySky extracts basic information about the operating system.[1]

Enterprise T1529 System Shutdown/Reboot

DustySky can shutdown the infected machine.[3]

Enterprise T1047 Windows Management Instrumentation

The DustySky dropper uses Windows Management Instrumentation to extract information about the operating system and whether an anti-virus is active.[1]

Groups That Use This Software

ID Name References
G0021 Molerats

[1][2][3]

References