DustySky

DustySky is multi-stage malware written in .NET that has been used by Molerats since May 2015. [1] [2]

ID: S0062
Associated Software: NeD Worm
Type: MALWARE
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1008 Fallback Channels

DustySky has two hard-coded domains for C2 servers; if the first does not respond, it will try the second.[1]

Enterprise T1083 File and Directory Discovery

DustySky scans the victim for files that contain certain keywords from a list that is obtained from the C2 as a text file. It also collects information about installed software.[1]

Enterprise T1056 Input Capture

DustySky contains a keylogger.[1]

Enterprise T1027 Obfuscated Files or Information

The DustySky dropper uses a function to obfuscate the name of functions and other parts of the malware.[1]

Enterprise T1057 Process Discovery

DustySky collects information about running processes from victims.[1]

Enterprise T1060 Registry Run Keys / Startup Folder

DustySky achieves persistence by creating a Registry entry in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.[1]

Enterprise T1105 Remote File Copy

DustySky searches for network drives and removable media and duplicates itself onto them.[1]

Enterprise T1091 Replication Through Removable Media

DustySky searches for removable media and duplicates itself onto it.[1]

Enterprise T1063 Security Software Discovery

DustySky checks for the existence of anti-virus.[1]

Enterprise T1071 Standard Application Layer Protocol

DustySky has used both HTTP and HTTPS for C2.[1]

Enterprise T1082 System Information Discovery

DustySky extracts basic information about the operating system.[1]

Enterprise T1047 Windows Management Instrumentation

The DustySky dropper uses Windows Management Instrumentation to extract information about the operating system and whether an anti-virus is active.[1]

Groups That Use This Software

ID Name References
G0021 Molerats [1] [2]

References