This is a custom instance of the MITRE ATT&CK Website. The official website can be found at attack.mitre.org.

Dust Storm

Dust Storm is a threat group that has targeted multiple industries in Japan, South Korea, the United States, Europe, and several Southeast Asian countries. ^[1]

ID: G0031

Version: 1.0

Created: 31 May 2017

Last Modified: 19 January 2022

Techniques Used

Domain	ID		Name	Use
Enterprise	T1005		Data from Local System	Dust Storm has used Android backdoors capable of exfiltrating specific files directly from the infected devices.^[1]
Enterprise	T1083		File and Directory Discovery	Dust Storm has used Android backdoors capable of enumerating specific files on the infected devices.^[1]
Enterprise	T1027		Obfuscated Files or Information	Dust Storm has encoded payloads with a single-byte XOR, both skipping the key itself and zeroing in an attempt to avoid exposing the key.^[1]

Software

ID	Name	References	Techniques
S0084	Mis-Type	^[1]	Account Discovery: Local Account, Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: Windows Command Shell, Commonly Used Port, Create Account: Local Account, Data Encoding: Standard Encoding, Fallback Channels, Masquerading: Match Legitimate Name or Location, Non-Application Layer Protocol, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery
S0083	Misdat	^[1]	Command and Scripting Interpreter: Windows Command Shell, Commonly Used Port, Data Encoding: Standard Encoding, File and Directory Discovery, Indicator Removal on Host, Indicator Removal on Host: File Deletion, Indicator Removal on Host: Timestomp, Ingress Tool Transfer, Masquerading: Match Legitimate Name or Location, Non-Application Layer Protocol, System Information Discovery
S0085	S-Type	^[1]	Account Discovery: Local Account, Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution: Shortcut Modification, Commonly Used Port, Create Account: Local Account, Data Encoding: Standard Encoding, Fallback Channels, Masquerading: Match Legitimate Name or Location, System Information Discovery, System Service Discovery
S0086	ZLib	^[1]	Application Layer Protocol: Web Protocols, Archive Collected Data: Archive via Library, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, File and Directory Discovery, Ingress Tool Transfer, Masquerading: Match Legitimate Name or Location, Screen Capture, System Information Discovery, System Service Discovery

References

Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.