Register to stream ATT&CKcon 2.0 October 29-30

Misdat

Misdat is a backdoor that was used by Dust Storm from 2010 to 2011. [1]

ID: S0083
Type: MALWARE
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface Misdat is capable of providing shell functionality to the attacker to execute commands. [1]
Enterprise T1043 Commonly Used Port Misdat network traffic communicates over common ports like 80, 443, or 1433. [1]
Enterprise T1094 Custom Command and Control Protocol Misdat network traffic communicates over a raw socket. [1]
Enterprise T1132 Data Encoding Misdat network traffic is Base64-encoded plaintext. [1]
Enterprise T1083 File and Directory Discovery Misdat is capable of running commands to obtain a list of files and directories, as well as enumerating logical drives. [1]
Enterprise T1107 File Deletion Misdat is capable of deleting the backdoor file. [1]
Enterprise T1070 Indicator Removal on Host Misdat is capable of deleting Registry keys used for persistence. [1]
Enterprise T1036 Masquerading Misdat saves itself as a file named msdtc.exe, which is also the name of the legitimate Microsoft Distributed Transaction Coordinator service. [1] [2]
Enterprise T1105 Remote File Copy Misdat is capable of downloading files from the C2. [1]
Enterprise T1095 Standard Non-Application Layer Protocol Misdat network traffic communicates over a raw socket. [1]
Enterprise T1082 System Information Discovery The initial beacon packet for Misdat contains the operating system version of the victim. [1]
Enterprise T1099 Timestomp Many Misdat samples were programmed using Borland Delphi, which will mangle the default PE compile timestamp of a file. [1]

Groups That Use This Software

ID Name References
G0031 Dust Storm [1]

References