Skip to content

S0085 S-Type

S-Type is a backdoor that was used by Dust Storm from 2013 to 2014. 1

Item Value
ID S0085
Associated Names
Version 1.1
Created 31 May 2017
Last Modified 19 January 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1087 Account Discovery -
enterprise T1087.001 Local Account S-Type runs the command net user on a victim. S-Type also runs tests to determine the privilege level of the compromised user.1
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols S-Type uses HTTP for C2.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder S-Type may create a .lnk file to itself that is saved in the Start menu folder. It may also create the Registry key HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ IMJPMIJ8.1{3 characters of Unique Identifier}.1
enterprise T1547.009 Shortcut Modification S-Type may create the file %HOMEPATH%\Start Menu\Programs\Startup\Realtek {Unique Identifier}.lnk, which points to the malicious msdtc.exe file already created in the %CommonFiles% directory.1
enterprise T1136 Create Account -
enterprise T1136.001 Local Account S-Type may create a temporary user on the system named “Lost_{Unique Identifier}” with the password “pond~!@6”{Unique Identifier}.”1
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding S-Type uses Base64 encoding for C2 traffic.1
enterprise T1008 Fallback Channels S-Type primarily uses port 80 for C2, but falls back to ports 443 or 8080 if initial communication fails.1
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location S-Type may save itself as a file named msdtc.exe, which is also the name of the legitimate Microsoft Distributed Transaction Coordinator service binary.12
enterprise T1082 System Information Discovery The initial beacon packet for S-Type contains the operating system version and file system of the victim.1
enterprise T1007 System Service Discovery S-Type runs the command net start on a victim.1

Groups That Use This Software

ID Name References
G0031 Dust Storm 1


Back to top