Misdat

Misdat is a backdoor that was used by Dust Storm from 2010 to 2011. [1]

ID: S0083
Type: MALWARE
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface Misdat is capable of providing shell functionality to the attacker to execute commands.[1]
Enterprise T1043 Commonly Used Port Misdat network traffic communicates over common ports like 80, 443, or 1433.[1]
Enterprise T1094 Custom Command and Control Protocol Misdat network traffic communicates over a raw socket.[1]
Enterprise T1132 Data Encoding Misdat network traffic is Base64-encoded plaintext.[1]
Enterprise T1083 File and Directory Discovery Misdat is capable of running commands to obtain a list of files and directories, as well as enumerating logical drives.[1]
Enterprise T1107 File Deletion Misdat is capable of deleting the backdoor file.[1]
Enterprise T1070 Indicator Removal on Host Misdat is capable of deleting Registry keys used for persistence.[1]
Enterprise T1036 Masquerading Misdat saves itself as a file named msdtc.exe, which is also the name of the legitimate Microsoft Distributed Transaction Coordinator service.[1][2]
Enterprise T1105 Remote File Copy Misdat is capable of downloading files from the C2.[1]
Enterprise T1095 Standard Non-Application Layer Protocol Misdat network traffic communicates over a raw socket.[1]
Enterprise T1082 System Information Discovery The initial beacon packet for Misdat contains the operating system version of the victim.[1]
Enterprise T1099 Timestomp Many Misdat samples were programmed using Borland Delphi, which will mangle the default PE compile timestamp of a file.[1]

Groups

Groups that use this software:

Dust Storm

References