Register to stream ATT&CKcon 2.0 October 29-30

Mis-Type

Mis-Type is a backdoor hybrid that was used by Dust Storm in 2012. [1]

ID: S0084
Type: MALWARE
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1087 Account Discovery Mis-Type may create a file containing the results of the command cmd.exe /c net user {Username}. [1]
Enterprise T1059 Command-Line Interface Mis-Type uses cmd.exe to run commands for enumerating the host. [1]
Enterprise T1043 Commonly Used Port Mis-Type communicates over common ports such as TCP 80, 443, and 25. [1]
Enterprise T1136 Create Account Mis-Type may create a temporary user on the system named “Lost_{Unique Identifier}.” [1]
Enterprise T1094 Custom Command and Control Protocol Mis-Type network traffic can communicate over a raw socket. [1]
Enterprise T1132 Data Encoding Mis-Type uses Base64 encoding for C2 traffic. [1]
Enterprise T1008 Fallback Channels Mis-Type first attempts to use a Base64-encoded network protocol over a raw TCP socket for C2, and if that method fails, falls back to a secondary HTTP-based protocol to communicate to an alternate C2 server. [1]
Enterprise T1036 Masquerading Mis-Type saves itself as a file named msdtc.exe, which is also the name of the legitimate Microsoft Distributed Transaction Coordinator service. [1] [2]
Enterprise T1071 Standard Application Layer Protocol Mis-Type network traffic can communicate over HTTP. [1]
Enterprise T1095 Standard Non-Application Layer Protocol Mis-Type network traffic can communicate over a raw socket. [1]
Enterprise T1082 System Information Discovery The initial beacon packet for Mis-Type contains the operating system version and file system of the victim. [1]
Enterprise T1016 System Network Configuration Discovery Mis-Type may create a file containing the results of the command cmd.exe /c ipconfig /all. [1]
Enterprise T1033 System Owner/User Discovery Mis-Type runs tests to determine the privilege level of the compromised user. [1]

Groups That Use This Software

ID Name References
G0031 Dust Storm [1]

References