Mis-Type

Mis-Type is a backdoor hybrid that was used by Dust Storm in 2012. [1]

ID: S0084
Type: MALWARE
Platforms: Windows

Version: 1.0

Techniques Used

DomainIDNameUse
EnterpriseT1087Account DiscoveryMis-Type may create a file containing the results of the command cmd.exe /c net user {Username}.[1]
EnterpriseT1059Command-Line InterfaceMis-Type uses cmd.exe to run commands for enumerating the host.[1]
EnterpriseT1043Commonly Used PortMis-Type communicates over common ports such as TCP 80, 443, and 25.[1]
EnterpriseT1136Create AccountMis-Type may create a temporary user on the system named “Lost_{Unique Identifier}.”[1]
EnterpriseT1094Custom Command and Control ProtocolMis-Type network traffic can communicate over a raw socket.[1]
EnterpriseT1132Data EncodingMis-Type uses Base64 encoding for C2 traffic.[1]
EnterpriseT1008Fallback ChannelsMis-Type first attempts to use a Base64-encoded network protocol over a raw TCP socket for C2, and if that method fails, falls back to a secondary HTTP-based protocol to communicate to an alternate C2 server.[1]
EnterpriseT1036MasqueradingMis-Type saves itself as a file named msdtc.exe, which is also the name of the legitimate Microsoft Distributed Transaction Coordinator service.[1][2]
EnterpriseT1071Standard Application Layer ProtocolMis-Type network traffic can communicate over HTTP.[1]
EnterpriseT1095Standard Non-Application Layer ProtocolMis-Type network traffic can communicate over a raw socket.[1]
EnterpriseT1082System Information DiscoveryThe initial beacon packet for Mis-Type contains the operating system version and file system of the victim.[1]
EnterpriseT1016System Network Configuration DiscoveryMis-Type may create a file containing the results of the command cmd.exe /c ipconfig /all.[1]
EnterpriseT1033System Owner/User DiscoveryMis-Type runs tests to determine the privilege level of the compromised user.[1]

Groups

Groups that use this software:

Dust Storm

References