DustySky

In one case, the attackers used stolen email credentials and logged in from 96.44.156.201, potentially their proxy or VPN endpoint.

DustySky Core is a Trojan backdoor... Searching for removable media and network drives, and duplicating itself into them.

IP address 45.32.13.169 and all the domains that are pointing to it host a webpage which is a copy of a legitimate and unrelated software website - iMazing... the version on the fake website is bundled with DustySky malware.

If the target is using Windows, DuskySky is served. If the operating system is different than Windows, the target is served a Google, Microsoft, or Yahoo phishing page.

The attackers would usually send a malicious email message that either links to an archive file (RAR or ZIP compressed) or has one attached to it.

The attackers would usually send a malicious email message that either links to an archive file (RAR or ZIP compressed) or has one attached to it.

The dropper uses Windows Management Instrumentation to extract information about the operating system and whether an antivirus is active.

If the victim extracts the archive and clicks the .exe file, the lure document or video are presented while the computer is being infected with DustySky. | In recent samples the group used Microsoft Word files embed with a malicious macro, which would infect the victim if enabled. Note, that these infection methods rely on social engineering - convincing the victim to open the file (and enabling content if it is disabled) - and not on software vulnerabilities.

In one case, the attackers used stolen email credentials and logged in from 96.44.156.201, potentially their proxy or VPN endpoint.

A registry entry is created for persistency after computer restart.

In one case, the attackers used stolen email credentials and logged in from 96.44.156.201, potentially their proxy or VPN endpoint.

A registry entry is created for persistency after computer restart.

The dropper uses the following function to obfuscate the name of functions and other parts of the malware (In later versions, SmartAssembly 6.9.0.114 .NET obfuscator was used).

The content repeatedly describes threat actors and malware deleting files, tools, scripts, logs, droppers, staged data, and artifacts from compromised systems to cover tracks, remove evidence, or self-delete.

In one case, the attackers used stolen email credentials and logged in from 96.44.156.201, potentially their proxy or VPN endpoint.

For VM evasion the dropper checks whether there is a DLL that indicate that the malware is running in a virtual machine... If the dropper is indeed running in a virtual machine, it will open the lure document and stop its activity.

One of the components contained in DustySky core is a keylogger... When ordered by the command and control server, the keylogger is extracted and executed. Keylogging logs are saved to %TEMP%\temps.

They used BrowserPasswordDump, a public and free-to-use tool that recovers passwords saved in browsers.

The dropper uses Windows Management Instrumentation to extract information about the operating system and whether an antivirus is active.

They took screenshots and a list of active processes in the computer, and sent them to their command and control severs.

The DustySky dropper tries to evade running in a virtual machine. Once sure the computer is not a VM, it extracts, runs and adds persistency to DustySky Core. It extracts basic information about the operating system and checks for the existence of an Antivirus.

The malware would also scan the computer for files that contain certain keywords. The list of keywords, in base64 format, is retrieved from the command and control as a text file.

The content repeatedly describes malware and threat actors identifying, monitoring, or enumerating connected peripheral devices such as USB mass storage, Bluetooth devices, printers, smart card readers, cameras, Apple devices, VGA/display devices, and removable drives.

For VM evasion the dropper checks whether there is a DLL that indicate that the malware is running in a virtual machine... If the dropper is indeed running in a virtual machine, it will open the lure document and stop its activity.

DustySky Core is a Trojan backdoor and the main component of the malware. It has the following capabilities: Collecting information about the OS version, running processes and installed software.

DustySky Core is a Trojan backdoor... Searching for removable media and network drives, and duplicating itself into them.

One of the components contained in DustySky core is a keylogger... When ordered by the command and control server, the keylogger is extracted and executed. Keylogging logs are saved to %TEMP%\temps.

The content repeatedly describes adversaries and malware storing collected data, command output, credentials, archives, or files in local temporary folders, working directories, hidden directories, registry locations, recycle bins, or specific files prior to exfiltration.

They took screenshots and a list of active processes in the computer, and sent them to their command and control severs.

Multiple actors and tools are described as using 7-Zip/WinRAR/zip/tar/gzip/makecab/PowerShell Compress-Archive to compress (often password-protect/encrypt) collected data prior to exfiltration (e.g., “used 7zip to archive extracted data in preparation for exfiltration”, “created password-protected RAR archives prior to exfiltration”, “used built-in PowerShell capabilities (Compress-Archive cmdlet) to compress collected data”).

DustySky has two hardcoded domains of command and control servers. It starts by checking if the first one is alive by sending a GET request to TEST.php or index.php, expecting “OK” as response.

Recently, command and control communication changed from HTTP to HTTPS.

After infecting the computer, the attackers used both the capabilities of DustySky, and those of public hacking tools they had subsequently downloaded to the computer.

DustySky Core is a Trojan backdoor and the main component of the malware... receives and executes commands.

DustySky Core is a Trojan backdoor... It communicates with the command and control server, exfiltrates collected data, information and files, and receives and executes commands.