S1158 DUSTPAN
DUSTPAN is an in-memory dropper written in C/C++ used by APT41 since 2021 that decrypts and executes an embedded payload.12
| Item | Value |
|---|---|
| ID | S1158 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 16 September 2024 |
| Last Modified | 21 September 2024 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.003 | Windows Service | DUSTPAN can persist as a Windows Service in operations.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | DUSTPAN decodes and decrypts embedded payloads.1 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.005 | Match Legitimate Resource Name or Location | DUSTPAN is often disguised as a legitimate Windows binary such as w3wp.exe or conn.exe.1 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.009 | Embedded Payloads | DUSTPAN decrypts and executes an embedded payload.12 |
| enterprise | T1027.013 | Encrypted/Encoded File | DUSTPAN decrypts an embedded payload.12 |
| enterprise | T1055 | Process Injection | - |
| enterprise | T1055.002 | Portable Executable Injection | DUSTPAN can inject its decrypted payload into another process.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0096 | APT41 | 21 |
References
-
Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024. ↩↩↩↩↩↩↩↩
-
Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman & John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved September 16, 2024. ↩↩↩↩