Skip to content

S0062 DustySky

DustySky is multi-stage malware written in .NET that has been used by Molerats since May 2015. 1 23

Item Value
ID S0062
Associated Names
Version 1.1
Created 31 May 2017
Last Modified 27 April 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols DustySky has used both HTTP and HTTPS for C2.1
enterprise T1560 Archive Collected Data -
enterprise T1560.001 Archive via Utility DustySky can compress files via RAR while staging data to be exfiltrated.3
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder DustySky achieves persistence by creating a Registry entry in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.1
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging DustySky created folders in temp directories to host collected files before exfiltration.3
enterprise T1041 Exfiltration Over C2 Channel DustySky has exfiltrated data to the C2 server.3
enterprise T1008 Fallback Channels DustySky has two hard-coded domains for C2 servers; if the first does not respond, it will try the second.1
enterprise T1083 File and Directory Discovery DustySky scans the victim for files that contain certain keywords and document types including PDF, DOC, DOCX, XLS, and XLSX, from a list that is obtained from the C2 as a text file. It can also identify logical drives for the infected machine.13
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion DustySky can delete files it creates from the infected system.3
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging DustySky contains a keylogger.1
enterprise T1570 Lateral Tool Transfer DustySky searches for network drives and removable media and duplicates itself onto them.1
enterprise T1027 Obfuscated Files or Information The DustySky dropper uses a function to obfuscate the name of functions and other parts of the malware.1
enterprise T1120 Peripheral Device Discovery DustySky can detect connected USB devices.3
enterprise T1057 Process Discovery DustySky collects information about running processes from victims.13
enterprise T1091 Replication Through Removable Media DustySky searches for removable media and duplicates itself onto it.1
enterprise T1113 Screen Capture DustySky captures PNG screenshots of the main screen.3
enterprise T1518 Software Discovery DustySky lists all installed software for the infected machine.3
enterprise T1518.001 Security Software Discovery DustySky checks for the existence of anti-virus.1
enterprise T1082 System Information Discovery DustySky extracts basic information about the operating system.1
enterprise T1047 Windows Management Instrumentation The DustySky dropper uses Windows Management Instrumentation to extract information about the operating system and whether an anti-virus is active.1

Groups That Use This Software

ID Name References
G0021 Molerats 123