S-Type

S-Type is a backdoor that was used by Dust Storm from 2013 to 2014. [1]

ID: S0085
Aliases: S-Type
Type: MALWARE
Platforms: Windows

Version: 1.0

Techniques Used

DomainIDNameUse
EnterpriseT1087Account DiscoveryS-Type runs the command net user on a victim. S-Type also runs tests to determine the privilege level of the compromised user.[1]
EnterpriseT1043Commonly Used PortS-Type uses ports 80, 443, and 8080 for C2.[1]
EnterpriseT1136Create AccountS-Type may create a temporary user on the system named “Lost_{Unique Identifier}” with the password “pond~!@6”{Unique Identifier}.”[1]
EnterpriseT1132Data EncodingS-Type uses Base64 encoding for C2 traffic.[1]
EnterpriseT1008Fallback ChannelsS-Type primarily uses port 80 for C2, but falls back to ports 443 or 8080 if initial communication fails.[1]
EnterpriseT1036MasqueradingS-Type may save itself as a file named msdtc.exe, which is also the name of the legitimate Microsoft Distributed Transaction Coordinator service.[1][2]
EnterpriseT1060Registry Run Keys / Startup FolderS-Type may create a .lnk file to itself that is saved in the Start menu folder. It may also create the Registry key HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ IMJPMIJ8.1{3 characters of Unique Identifier}.[1]
EnterpriseT1023Shortcut ModificationS-Type may create the file %HOMEPATH%\Start Menu\Programs\Startup\Realtek {Unique Identifier}.lnk, which points to the malicious msdtc.exe file already created in the %CommonFiles% directory.[1]
EnterpriseT1071Standard Application Layer ProtocolS-Type uses HTTP for C2.[1]
EnterpriseT1082System Information DiscoveryThe initial beacon packet for S-Type contains the operating system version and file system of the victim.[1]
EnterpriseT1007System Service DiscoveryS-Type runs the command net start on a victim.[1]

Groups

Groups that use this software:

Dust Storm

References