1. Home
  2. Software
  3. DUSTTRAP

DUSTTRAP

DUSTTRAP is a multi-stage plugin framework associated with APT41 operations with multiple components.[1]

ID: S1159
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 16 September 2024
Last Modified: 21 September 2024
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1005 从本地系统获取数据

DUSTTRAP can gather data from infected systems.[1]
Enterprise T1140 反混淆/解码文件或信息

DUSTTRAP deobfuscates embedded payloads.[1]
Enterprise T1059 .003 命令与脚本解释器: Windows Command Shell

DUSTTRAP can execute commands via cmd.exe.[1]
Enterprise T1482 域信任发现

DUSTTRAP can identify Active Directory information and related items.[1]
Enterprise T1113 屏幕捕获

DUSTTRAP can capture screenshots.[1]
Enterprise T1010 应用窗口发现

DUSTTRAP can enumerate running application windows.[1]
Enterprise T1083 文件和目录发现

DUSTTRAP can enumerate files and directories.[1]
Enterprise T1654 日志枚举

DUSTTRAP can identify infected system log information.[1]
Enterprise T1012 查询注册表

DUSTTRAP can enumerate Registry items.[1]
Enterprise T1027 .009 混淆文件或信息: Embedded Payloads

DUSTTRAP contains additional embedded DLLs and configuration files that are loaded into memory during execution.[1]
.013 混淆文件或信息: Encrypted/Encoded File

DUSTTRAP begins with an initial launcher that decrypts an AES-128-CFB encrypted file on disk and executes it in memory.[1]
Enterprise T1070 移除指标

DUSTTRAP restores the .text section of compromised DLLs after malicious code is loaded into memory and before the file is closed.[1]
.001 Clear Windows Event Logs

DUSTTRAP can delete infected system log information.[1]
.005 Network Share Connection Removal

DUSTTRAP can remove network shares from infected systems.[1]
Enterprise T1082 系统信息发现

DUSTTRAP reads the value of the infected system's HKLM\SYSTEM\Microsoft\Cryptography\MachineGUID value.[1]
Enterprise T1124 系统时间发现

DUSTTRAP reads the infected system's current time and writes it to a log file during execution.[1]
Enterprise T1016 系统网络配置发现

DUSTTRAP can enumerate infected system network information.[1]
Enterprise T1615 组策略发现

DUSTTRAP can identify victim environment Group Policy information.[1]
Enterprise T1135 网络共享发现

DUSTTRAP can identify and enumerate victim system network shares.[1]
Enterprise T1497 .001 虚拟化/沙盒规避: System Checks

DUSTTRAP decryption relies on the infected machine's HKLM\SOFTWARE\Microsoft\Cryptography\MachineGUID value.[1]
Enterprise T1087 .001 账号发现: Local Account

DUSTTRAP can enumerate local user accounts.[1]
.002 账号发现: Domain Account

DUSTTRAP can enumerate domain accounts.[1]
Enterprise T1518 .001 软件发现: Security Software Discovery

DUSTTRAP can identify security software.[1]
Enterprise T1105 输入工具传输

DUSTTRAP can retrieve and load additional payloads.[1]
Enterprise T1056 .001 输入捕获: Keylogging

DUSTTRAP can perform keylogging operations.[1]
Enterprise T1057 进程发现

DUSTTRAP can enumerate running processes.[1]
Enterprise T1055 进程注入

DUSTTRAP compromises the .text section of a legitimate system DLL in %windir% to hold the contents of retrieved plug-ins.[1]
Enterprise T1018 远程系统发现

DUSTTRAP can use ping to identify remote hosts within the victim network.[1]
Enterprise T1041 通过C2信道渗出

DUSTTRAP can exfiltrate collected data over C2 channels.[1]

Groups That Use This Software

ID Name References
G0096 APT41

[1]

Campaigns

ID Name Description
C0040 APT41 DUST

DUSTTRAP was used during APT41 DUST.[1]

References

  1. Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024.