Misdat is a backdoor that was used by Dust Storm from 2010 to 2011. [1]

ID: S0083
Platforms: Windows

Version: 1.0

Techniques Used

EnterpriseT1059Command-Line InterfaceMisdat is capable of providing shell functionality to the attacker to execute commands.[1]
EnterpriseT1043Commonly Used PortMisdat network traffic communicates over common ports like 80, 443, or 1433.[1]
EnterpriseT1094Custom Command and Control ProtocolMisdat network traffic communicates over a raw socket.[1]
EnterpriseT1132Data EncodingMisdat network traffic is Base64-encoded plaintext.[1]
EnterpriseT1083File and Directory DiscoveryMisdat is capable of running commands to obtain a list of files and directories, as well as enumerating logical drives.[1]
EnterpriseT1107File DeletionMisdat is capable of deleting the backdoor file.[1]
EnterpriseT1070Indicator Removal on HostMisdat is capable of deleting Registry keys used for persistence.[1]
EnterpriseT1036MasqueradingMisdat saves itself as a file named msdtc.exe, which is also the name of the legitimate Microsoft Distributed Transaction Coordinator service.[1][2]
EnterpriseT1105Remote File CopyMisdat is capable of downloading files from the C2.[1]
EnterpriseT1095Standard Non-Application Layer ProtocolMisdat network traffic communicates over a raw socket.[1]
EnterpriseT1082System Information DiscoveryThe initial beacon packet for Misdat contains the operating system version of the victim.[1]
EnterpriseT1099TimestompMany Misdat samples were programmed using Borland Delphi, which will mangle the default PE compile timestamp of a file.[1]


Groups that use this software:

Dust Storm