| enterprise |
T1071 |
Application Layer Protocol |
- |
| enterprise |
T1071.001 |
Web Protocols |
DustySky has used both HTTP and HTTPS for C2. |
| enterprise |
T1560 |
Archive Collected Data |
- |
| enterprise |
T1560.001 |
Archive via Utility |
DustySky can compress files via RAR while staging data to be exfiltrated. |
| enterprise |
T1547 |
Boot or Logon Autostart Execution |
- |
| enterprise |
T1547.001 |
Registry Run Keys / Startup Folder |
DustySky achieves persistence by creating a Registry entry in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. |
| enterprise |
T1074 |
Data Staged |
- |
| enterprise |
T1074.001 |
Local Data Staging |
DustySky created folders in temp directories to host collected files before exfiltration. |
| enterprise |
T1041 |
Exfiltration Over C2 Channel |
DustySky has exfiltrated data to the C2 server. |
| enterprise |
T1008 |
Fallback Channels |
DustySky has two hard-coded domains for C2 servers; if the first does not respond, it will try the second. |
| enterprise |
T1083 |
File and Directory Discovery |
DustySky scans the victim for files that contain certain keywords and document types including PDF, DOC, DOCX, XLS, and XLSX, from a list that is obtained from the C2 as a text file. It can also identify logical drives for the infected machine. |
| enterprise |
T1070 |
Indicator Removal |
- |
| enterprise |
T1070.004 |
File Deletion |
DustySky can delete files it creates from the infected system. |
| enterprise |
T1056 |
Input Capture |
- |
| enterprise |
T1056.001 |
Keylogging |
DustySky contains a keylogger. |
| enterprise |
T1570 |
Lateral Tool Transfer |
DustySky searches for network drives and removable media and duplicates itself onto them. |
| enterprise |
T1027 |
Obfuscated Files or Information |
The DustySky dropper uses a function to obfuscate the name of functions and other parts of the malware. |
| enterprise |
T1120 |
Peripheral Device Discovery |
DustySky can detect connected USB devices. |
| enterprise |
T1057 |
Process Discovery |
DustySky collects information about running processes from victims. |
| enterprise |
T1091 |
Replication Through Removable Media |
DustySky searches for removable media and duplicates itself onto it. |
| enterprise |
T1113 |
Screen Capture |
DustySky captures PNG screenshots of the main screen. |
| enterprise |
T1518 |
Software Discovery |
DustySky lists all installed software for the infected machine. |
| enterprise |
T1518.001 |
Security Software Discovery |
DustySky checks for the existence of anti-virus. |
| enterprise |
T1082 |
System Information Discovery |
DustySky extracts basic information about the operating system. |
| enterprise |
T1047 |
Windows Management Instrumentation |
The DustySky dropper uses Windows Management Instrumentation to extract information about the operating system and whether an anti-virus is active. |