Register to stream ATT&CKcon 2.0 October 29-30


DustySky is multi-stage malware written in .NET that has been used by Molerats since May 2015. [1] [2]

ID: S0062
Associated Software: NeD Worm
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1008 Fallback Channels DustySky has two hard-coded domains for C2 servers; if the first does not respond, it will try the second. [1]
Enterprise T1083 File and Directory Discovery DustySky scans the victim for files that contain certain keywords from a list that is obtained from the C2 as a text file. It also collects information about installed software. [1]
Enterprise T1056 Input Capture DustySky contains a keylogger. [1]
Enterprise T1027 Obfuscated Files or Information The DustySky dropper uses a function to obfuscate the name of functions and other parts of the malware. [1]
Enterprise T1057 Process Discovery DustySky collects information about running processes from victims. [1]
Enterprise T1060 Registry Run Keys / Startup Folder DustySky achieves persistence by creating a Registry entry in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. [1]
Enterprise T1105 Remote File Copy DustySky searches for network drives and removable media and duplicates itself onto them. [1]
Enterprise T1091 Replication Through Removable Media DustySky searches for removable media and duplicates itself onto it. [1]
Enterprise T1063 Security Software Discovery DustySky checks for the existence of anti-virus. [1]
Enterprise T1071 Standard Application Layer Protocol DustySky has used both HTTP and HTTPS for C2. [1]
Enterprise T1082 System Information Discovery DustySky extracts basic information about the operating system. [1]
Enterprise T1047 Windows Management Instrumentation The DustySky dropper uses Windows Management Instrumentation to extract information about the operating system and whether an anti-virus is active. [1]

Groups That Use This Software

ID Name References
G0021 Molerats [1] [2]