Skip to content

S0083 Misdat

Misdat is a backdoor that was used by Dust Storm from 2010 to 2011. 1

Item Value
ID S0083
Associated Names
Version 1.1
Created 31 May 2017
Last Modified 19 January 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell Misdat is capable of providing shell functionality to the attacker to execute commands.1
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding Misdat network traffic is Base64-encoded plaintext.1
enterprise T1083 File and Directory Discovery Misdat is capable of running commands to obtain a list of files and directories, as well as enumerating logical drives.1
enterprise T1070 Indicator Removal on Host Misdat is capable of deleting Registry keys used for persistence.1
enterprise T1070.004 File Deletion Misdat is capable of deleting the backdoor file.1
enterprise T1070.006 Timestomp Many Misdat samples were programmed using Borland Delphi, which will mangle the default PE compile timestamp of a file.1
enterprise T1105 Ingress Tool Transfer Misdat is capable of downloading files from the C2.1
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location Misdat saves itself as a file named msdtc.exe, which is also the name of the legitimate Microsoft Distributed Transaction Coordinator service binary.12
enterprise T1095 Non-Application Layer Protocol Misdat network traffic communicates over a raw socket.1
enterprise T1082 System Information Discovery The initial beacon packet for Misdat contains the operating system version of the victim.1

Groups That Use This Software

ID Name References
G0031 Dust Storm 1


Back to top