1. Home
  2. Software
  3. DustySky

DustySky

DustySky is multi-stage malware written in .NET that has been used by Molerats since May 2015. [1] [2][3]

ID: S0062
Associated Software: NeD Worm
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 31 May 2017
Last Modified: 27 April 2021
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1047 Windows管理规范

The DustySky dropper uses Windows Management Instrumentation to extract information about the operating system and whether an anti-virus is active.[1]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

DustySky achieves persistence by creating a Registry entry in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.[1]
Enterprise T1008 回退信道

DustySky has two hard-coded domains for C2 servers; if the first does not respond, it will try the second.[1]
Enterprise T1120 外围设备发现

DustySky can detect connected USB devices.[3]
Enterprise T1113 屏幕捕获

DustySky captures PNG screenshots of the main screen.[3]
Enterprise T1071 .001 应用层协议: Web Protocols

DustySky has used both HTTP and HTTPS for C2.[1]
Enterprise T1560 .001 归档收集数据: Archive via Utility

DustySky can compress files via RAR while staging data to be exfiltrated.[3]
Enterprise T1074 .001 数据分段: Local Data Staging

DustySky created folders in temp directories to host collected files before exfiltration.[3]
Enterprise T1083 文件和目录发现

DustySky scans the victim for files that contain certain keywords and document types including PDF, DOC, DOCX, XLS, and XLSX, from a list that is obtained from the C2 as a text file. It can also identify logical drives for the infected machine.[1][3]
Enterprise T1570 横向工具传输

DustySky searches for network drives and removable media and duplicates itself onto them.[1]
Enterprise T1027 混淆文件或信息

The DustySky dropper uses a function to obfuscate the name of functions and other parts of the malware.[1]
Enterprise T1070 .004 移除指标: File Deletion

DustySky can delete files it creates from the infected system.[3]
Enterprise T1082 系统信息发现

DustySky extracts basic information about the operating system.[1]
Enterprise T1518 软件发现

DustySky lists all installed software for the infected machine.[3]
.001 Security Software Discovery

DustySky checks for the existence of anti-virus.[1]
Enterprise T1056 .001 输入捕获: Keylogging

DustySky contains a keylogger.[1]
Enterprise T1057 进程发现

DustySky collects information about running processes from victims.[1][3]
Enterprise T1041 通过C2信道渗出

DustySky has exfiltrated data to the C2 server.[3]
Enterprise T1091 通过可移动媒体复制

DustySky searches for removable media and duplicates itself onto it.[1]

Groups That Use This Software

ID Name References
G0021 Molerats

[1][2][3]

References

  1. ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.
  2. ClearSky Cybersecurity. (2016, June 9). Operation DustySky - Part 2. Retrieved August 3, 2016.
  1. GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020.