Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

S-Type

S-Type is a backdoor that was used in Operation Dust Storm since at least 2013.(Citation: Cylance Dust Storm)
ID: S0085
Type: MALWARE
Platforms: Windows
Version: 1.3
Created: 31 May 2017
Last Modified: 10 Mar 2023

Techniques Used

Domain ID Name Use
Enterprise T1087 .001 Account Discovery: Local Account

S-Type has run the command `net user` on a victim.(Citation: Cylance Dust Storm)

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

S-Type uses HTTP for C2.(Citation: Cylance Dust Storm)

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

S-Type may create a .lnk file to itself that is saved in the Start menu folder. It may also create the Registry key HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ IMJPMIJ8.1{3 characters of Unique Identifier}.(Citation: Cylance Dust Storm)

.009 Boot or Logon Autostart Execution: Shortcut Modification

S-Type may create the file %HOMEPATH%\Start Menu\Programs\Startup\Realtek {Unique Identifier}.lnk, which points to the malicious `msdtc.exe` file already created in the `%CommonFiles%` directory.(Citation: Cylance Dust Storm)

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

S-Type has provided the ability to execute shell commands on a compromised host.(Citation: Cylance Dust Storm)

Enterprise T1136 .001 Create Account: Local Account

S-Type may create a temporary user on the system named `Lost_{Unique Identifier}` with the password `pond~!@6”{Unique Identifier}`.(Citation: Cylance Dust Storm)

Enterprise T1132 .001 Data Encoding: Standard Encoding

S-Type uses Base64 encoding for C2 traffic.(Citation: Cylance Dust Storm)

Enterprise T1070 .004 Indicator Removal: File Deletion

S-Type has deleted files it has created on a compromised host.(Citation: Cylance Dust Storm)

.009 Indicator Removal: Clear Persistence

S-Type has deleted accounts it has created.(Citation: Cylance Dust Storm)

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

S-Type may save itself as a file named `msdtc.exe`, which is also the name of the legitimate Microsoft Distributed Transaction Coordinator service binary.(Citation: Cylance Dust Storm)(Citation: Microsoft DTC)

Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

Some S-Type samples have been packed with UPX.(Citation: Cylance Dust Storm)

Enterprise T1614 .001 System Location Discovery: System Language Discovery

S-Type has attempted to determine if a compromised system was using a Japanese keyboard via the `GetKeyboardType` API call.(Citation: Cylance Dust Storm)

Groups That Use This Software

ID Name References
G0031 Dust Storm

(Citation: Cylance Dust Storm)

(Citation: Cylance Dust Storm)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.