Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Инструмент S-Type
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Инструмент
S-Type
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

S-Type

S-Type is a backdoor that was used in Operation Dust Storm since at least 2013.(Citation: Cylance Dust Storm)
ID: S0085
Type: MALWARE
Platforms: Windows
Version: 1.2
Created: 31 May 2017
Last Modified: 30 Sep 2022

Techniques Used
Domain ID Name Use
Enterprise T1087 .001 Account Discovery: Local Account

S-Type has run the command `net user` on a victim.(Citation: Cylance Dust Storm)
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

S-Type uses HTTP for C2.(Citation: Cylance Dust Storm)
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

S-Type may create a .lnk file to itself that is saved in the Start menu folder. It may also create the Registry key HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ IMJPMIJ8.1{3 characters of Unique Identifier}.(Citation: Cylance Dust Storm)
.009 Boot or Logon Autostart Execution: Shortcut Modification

S-Type may create the file %HOMEPATH%\Start Menu\Programs\Startup\Realtek {Unique Identifier}.lnk, which points to the malicious `msdtc.exe` file already created in the `%CommonFiles%` directory.(Citation: Cylance Dust Storm)

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

S-Type has provided the ability to execute shell commands on a compromised host.(Citation: Cylance Dust Storm)
Enterprise T1136 .001 Create Account: Local Account

S-Type may create a temporary user on the system named `Lost_{Unique Identifier}` with the password `pond~!@6”{Unique Identifier}`.(Citation: Cylance Dust Storm)
Enterprise T1132 .001 Data Encoding: Standard Encoding

S-Type uses Base64 encoding for C2 traffic.(Citation: Cylance Dust Storm)
Enterprise T1070 .004 Indicator Removal: File Deletion

S-Type has deleted files it has created on a compromised host.(Citation: Cylance Dust Storm)
Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

S-Type may save itself as a file named `msdtc.exe`, which is also the name of the legitimate Microsoft Distributed Transaction Coordinator service binary.(Citation: Cylance Dust Storm)(Citation: Microsoft DTC)
Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

Some S-Type samples have been packed with UPX.(Citation: Cylance Dust Storm)
Enterprise T1614 .001 System Location Discovery: System Language Discovery

S-Type has attempted to determine if a compromised system was using a Japanese keyboard via the `GetKeyboardType` API call.(Citation: Cylance Dust Storm)

Groups That Use This Software
ID Name References
G0031 Dust Storm

(Citation: Cylance Dust Storm)

(Citation: Cylance Dust Storm)

References

  1. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved September 19, 2017.
  2. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.
  3. Microsoft. (2011, January 12). Distributed Transaction Coordinator. Retrieved February 25, 2016.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.