Misdat is a backdoor that was used by Dust Storm from 2010 to 2011. [1]

ID: S0083
Platforms: Windows
Version: 1.1
Created: 31 May 2017
Last Modified: 19 January 2022

Techniques Used

Domain ID Name Use
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Misdat is capable of providing shell functionality to the attacker to execute commands.[1]

Enterprise T1132 .001 Data Encoding: Standard Encoding

Misdat network traffic is Base64-encoded plaintext.[1]

Enterprise T1083 File and Directory Discovery

Misdat is capable of running commands to obtain a list of files and directories, as well as enumerating logical drives.[1]

Enterprise T1070 Indicator Removal on Host

Misdat is capable of deleting Registry keys used for persistence.[1]

.004 File Deletion

Misdat is capable of deleting the backdoor file.[1]

.006 Timestomp

Many Misdat samples were programmed using Borland Delphi, which will mangle the default PE compile timestamp of a file.[1]

Enterprise T1105 Ingress Tool Transfer

Misdat is capable of downloading files from the C2.[1]

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Misdat saves itself as a file named msdtc.exe, which is also the name of the legitimate Microsoft Distributed Transaction Coordinator service binary.[1][2]

Enterprise T1095 Non-Application Layer Protocol

Misdat network traffic communicates over a raw socket.[1]

Enterprise T1082 System Information Discovery

The initial beacon packet for Misdat contains the operating system version of the victim.[1]

Groups That Use This Software

ID Name References
G0031 Dust Storm