Skip to content

G0031 Dust Storm

Dust Storm is a threat group that has targeted multiple industries in Japan, South Korea, the United States, Europe, and several Southeast Asian countries. 1

Item Value
ID G0031
Associated Names
Version 1.0
Created 31 May 2017
Last Modified 19 January 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1005 Data from Local System Dust Storm has used Android backdoors capable of exfiltrating specific files directly from the infected devices.1
enterprise T1083 File and Directory Discovery Dust Storm has used Android backdoors capable of enumerating specific files on the infected devices.1
enterprise T1027 Obfuscated Files or Information Dust Storm has encoded payloads with a single-byte XOR, both skipping the key itself and zeroing in an attempt to avoid exposing the key.1

Software

ID Name References Techniques
S0084 Mis-Type 1 Local Account:Account Discovery Web Protocols:Application Layer Protocol Windows Command Shell:Command and Scripting Interpreter Commonly Used Port Local Account:Create Account Standard Encoding:Data Encoding Fallback Channels Match Legitimate Name or Location:Masquerading Non-Application Layer Protocol System Information Discovery System Network Configuration Discovery System Owner/User Discovery
S0083 Misdat - Windows Command Shell:Command and Scripting Interpreter Commonly Used Port Standard Encoding:Data Encoding File and Directory Discovery Indicator Removal on Host File Deletion:Indicator Removal on Host Timestomp:Indicator Removal on Host Ingress Tool Transfer Match Legitimate Name or Location:Masquerading Non-Application Layer Protocol System Information Discovery
S0085 S-Type - Local Account:Account Discovery Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Shortcut Modification:Boot or Logon Autostart Execution Commonly Used Port Local Account:Create Account Standard Encoding:Data Encoding Fallback Channels Match Legitimate Name or Location:Masquerading System Information Discovery System Service Discovery
S0086 ZLib - Web Protocols:Application Layer Protocol Archive via Library:Archive Collected Data Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process File and Directory Discovery Ingress Tool Transfer Match Legitimate Name or Location:Masquerading Screen Capture System Information Discovery System Service Discovery

References

Back to top