| enterprise |
T1583 |
Acquire Infrastructure |
- |
| enterprise |
T1583.001 |
Domains |
For Operation Dust Storm, the threat actors established domains as part of their operational infrastructure. |
| enterprise |
T1059 |
Command and Scripting Interpreter |
- |
| enterprise |
T1059.005 |
Visual Basic |
During Operation Dust Storm, the threat actors used Visual Basic scripts. |
| enterprise |
T1059.007 |
JavaScript |
During Operation Dust Storm, the threat actors used JavaScript code. |
| enterprise |
T1140 |
Deobfuscate/Decode Files or Information |
During Operation Dust Storm, attackers used VBS code to decode payloads. |
| enterprise |
T1189 |
Drive-by Compromise |
During Operation Dust Storm, the threat actors used a watering hole attack on a popular software reseller to exploit the then-zero-day Internet Explorer vulnerability CVE-2014-0322. |
| enterprise |
T1568 |
Dynamic Resolution |
For Operation Dust Storm, the threat actors used dynamic DNS domains from a variety of free providers, including No-IP, Oray, and 3322. |
| enterprise |
T1585 |
Establish Accounts |
- |
| enterprise |
T1585.002 |
Email Accounts |
For Operation Dust Storm, the threat actors established email addresses to register domains for their operations. |
| enterprise |
T1203 |
Exploitation for Client Execution |
During Operation Dust Storm, the threat actors exploited Adobe Flash vulnerability CVE-2011-0611, Microsoft Windows Help vulnerability CVE-2010-1885, and several Internet Explorer vulnerabilities, including CVE-2011-1255, CVE-2012-1889, and CVE-2014-0322. |
| enterprise |
T1036 |
Masquerading |
For Operation Dust Storm, the threat actors disguised some executables as JPG files. |
| enterprise |
T1027 |
Obfuscated Files or Information |
During Operation Dust Storm, the threat actors encoded some payloads with a single-byte XOR, both skipping the key itself and zeroing in an attempt to avoid exposing the key; other payloads were Base64-encoded. |
| enterprise |
T1027.002 |
Software Packing |
For Operation Dust Storm, the threat actors used UPX to pack some payloads. |
| enterprise |
T1566 |
Phishing |
- |
| enterprise |
T1566.001 |
Spearphishing Attachment |
During Operation Dust Storm, the threat actors sent spearphishing emails that contained a malicious Microsoft Word document. |
| enterprise |
T1566.002 |
Spearphishing Link |
During Operation Dust Storm, the threat actors sent spearphishing emails containing a malicious link. |
| enterprise |
T1518 |
Software Discovery |
During Operation Dust Storm, the threat actors deployed a file called DeployJava.js to fingerprint installed software on a victim system prior to exploit delivery. |
| enterprise |
T1218 |
System Binary Proxy Execution |
- |
| enterprise |
T1218.005 |
Mshta |
During Operation Dust Storm, the threat actors executed JavaScript code via mshta.exe. |
| enterprise |
T1204 |
User Execution |
- |
| enterprise |
T1204.001 |
Malicious Link |
During Operation Dust Storm, the threat actors relied on a victim clicking on a malicious link sent via email. |
| enterprise |
T1204.002 |
Malicious File |
During Operation Dust Storm, the threat actors relied on potential victims to open a malicious Microsoft Word document sent via email. |
| mobile |
T1533 |
Data from Local System |
During Operation Dust Storm, the threat actors used Android backdoors capable of exfiltrating specific files directly from the infected devices. |
| mobile |
T1646 |
Exfiltration Over C2 Channel |
During Operation Dust Storm, the threat actors used Android backdoors that would send information and data from a victim’s mobile device to the C2 servers. |
| mobile |
T1420 |
File and Directory Discovery |
During Operation Dust Storm, the threat actors used Android backdoors capable of enumerating specific files on the infected devices. |
| mobile |
T1636 |
Protected User Data |
- |
| mobile |
T1636.004 |
SMS Messages |
During Operation Dust Storm, the threat actors used Android backdoors to continually forward all SMS messages and call information back to their C2 servers. |