DustySky

DustySky is multi-stage malware written in .NET that has been used by Molerats since May 2015. [1] [2]

ID: S0062
Associated Software: NeD Worm
Type: MALWARE
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1008 Fallback Channels DustySky has two hard-coded domains for C2 servers; if the first does not respond, it will try the second.[1]
Enterprise T1083 File and Directory Discovery DustySky scans the victim for files that contain certain keywords from a list that is obtained from the C2 as a text file. It also collects information about installed software.[1]
Enterprise T1056 Input Capture DustySky contains a keylogger.[1]
Enterprise T1027 Obfuscated Files or Information The DustySky dropper uses a function to obfuscate the name of functions and other parts of the malware.[1]
Enterprise T1057 Process Discovery DustySky collects information about running processes from victims.[1]
Enterprise T1060 Registry Run Keys / Startup Folder DustySky achieves persistence by creating a Registry entry in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.[1]
Enterprise T1105 Remote File Copy DustySky searches for network drives and removable media and duplicates itself onto them.[1]
Enterprise T1091 Replication Through Removable Media DustySky searches for removable media and duplicates itself onto it.[1]
Enterprise T1063 Security Software Discovery DustySky checks for the existence of anti-virus.[1]
Enterprise T1071 Standard Application Layer Protocol DustySky has used both HTTP and HTTPS for C2.[1]
Enterprise T1082 System Information Discovery DustySky extracts basic information about the operating system.[1]
Enterprise T1047 Windows Management Instrumentation The DustySky dropper uses Windows Management Instrumentation to extract information about the operating system and whether an anti-virus is active.[1]

Groups

Groups that use this software:

Molerats

References