DUSTTRAP

DUSTTRAP is a multi-stage plugin framework associated with APT41 operations with multiple components.[1]

ID: S1159
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 16 September 2024
Last Modified: 21 September 2024

Techniques Used

Domain ID Name Use
Enterprise T1087 .001 Account Discovery: Local Account

DUSTTRAP can enumerate local user accounts.[1]

.002 Account Discovery: Domain Account

DUSTTRAP can enumerate domain accounts.[1]

Enterprise T1010 Application Window Discovery

DUSTTRAP can enumerate running application windows.[1]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

DUSTTRAP can execute commands via cmd.exe.[1]

Enterprise T1005 Data from Local System

DUSTTRAP can gather data from infected systems.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

DUSTTRAP deobfuscates embedded payloads.[1]

Enterprise T1482 Domain Trust Discovery

DUSTTRAP can identify Active Directory information and related items.[1]

Enterprise T1041 Exfiltration Over C2 Channel

DUSTTRAP can exfiltrate collected data over C2 channels.[1]

Enterprise T1083 File and Directory Discovery

DUSTTRAP can enumerate files and directories.[1]

Enterprise T1615 Group Policy Discovery

DUSTTRAP can identify victim environment Group Policy information.[1]

Enterprise T1070 Indicator Removal

DUSTTRAP restores the .text section of compromised DLLs after malicious code is loaded into memory and before the file is closed.[1]

.001 Clear Windows Event Logs

DUSTTRAP can delete infected system log information.[1]

.005 Network Share Connection Removal

DUSTTRAP can remove network shares from infected systems.[1]

Enterprise T1105 Ingress Tool Transfer

DUSTTRAP can retrieve and load additional payloads.[1]

Enterprise T1056 .001 Input Capture: Keylogging

DUSTTRAP can perform keylogging operations.[1]

Enterprise T1654 Log Enumeration

DUSTTRAP can identify infected system log information.[1]

Enterprise T1135 Network Share Discovery

DUSTTRAP can identify and enumerate victim system network shares.[1]

Enterprise T1027 .009 Obfuscated Files or Information: Embedded Payloads

DUSTTRAP contains additional embedded DLLs and configuration files that are loaded into memory during execution.[1]

.013 Obfuscated Files or Information: Encrypted/Encoded File

DUSTTRAP begins with an initial launcher that decrypts an AES-128-CFB encrypted file on disk and executes it in memory.[1]

Enterprise T1057 Process Discovery

DUSTTRAP can enumerate running processes.[1]

Enterprise T1055 Process Injection

DUSTTRAP compromises the .text section of a legitimate system DLL in %windir% to hold the contents of retrieved plug-ins.[1]

Enterprise T1012 Query Registry

DUSTTRAP can enumerate Registry items.[1]

Enterprise T1018 Remote System Discovery

DUSTTRAP can use ping to identify remote hosts within the victim network.[1]

Enterprise T1113 Screen Capture

DUSTTRAP can capture screenshots.[1]

Enterprise T1518 .001 Software Discovery: Security Software Discovery

DUSTTRAP can identify security software.[1]

Enterprise T1082 System Information Discovery

DUSTTRAP reads the value of the infected system's HKLM\SYSTEM\Microsoft\Cryptography\MachineGUID value.[1]

Enterprise T1016 System Network Configuration Discovery

DUSTTRAP can enumerate infected system network information.[1]

Enterprise T1124 System Time Discovery

DUSTTRAP reads the infected system's current time and writes it to a log file during execution.[1]

Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

DUSTTRAP decryption relies on the infected machine's HKLM\SOFTWARE\Microsoft\Cryptography\MachineGUID value.[1]

Groups That Use This Software

ID Name References
G0096 APT41

[1]

Campaigns

ID Name Description
C0040 APT41 DUST

DUSTTRAP was used during APT41 DUST.[1]

References