Mis-Type

Mis-Type is a backdoor hybrid that was used in Operation Dust Storm by 2012.^[1]

ID: S0084

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.2

Created: 31 May 2017

Last Modified: 30 September 2022

Techniques Used

Domain	ID		Name	Use
Enterprise	T1005		从本地系统获取数据	Mis-Type has collected files and data from a compromised host.^[1]
Enterprise	T1036	.005	伪装: Match Legitimate Name or Location	Mis-Type saves itself as a file named `msdtc.exe`, which is also the name of the legitimate Microsoft Distributed Transaction Coordinator service binary.^[1]^[2]
Enterprise	T1136	.001	创建账户: Local Account	Mis-Type may create a temporary user on the system named `Lost_{Unique Identifier}`.^[1]
Enterprise	T1547		启动或登录自动启动执行	Mis-Type has created registry keys for persistence, including `HKCU\Software\bkfouerioyou`, `HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{6afa8072-b2b1-31a8-b5c1-{Unique Identifier}`, and `HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{3BF41072-B2B1-31A8-B5C1-{Unique Identifier}`.^[1]
Enterprise	T1059	.003	命令与脚本解释器: Windows Command Shell	Mis-Type has used `cmd.exe` to run commands on a compromised host.^[1]
Enterprise	T1008		回退信道	Mis-Type first attempts to use a Base64-encoded network protocol over a raw TCP socket for C2, and if that method fails, falls back to a secondary HTTP-based protocol to communicate to an alternate C2 server.^[1]
Enterprise	T1071	.001	应用层协议: Web Protocols	Mis-Type network traffic can communicate over HTTP.^[1]
Enterprise	T1074	.001	数据分段: Local Data Staging	Mis-Type has temporarily stored collected information to the files `"%AppData%\{Unique Identifier}\HOSTRURKLSR"` and `"%AppData%\{Unique Identifier}\NEWERSSEMP"`.^[1]
Enterprise	T1132	.001	数据编码: Standard Encoding	Mis-Type uses Base64 encoding for C2 traffic.^[1]
Enterprise	T1106		本机API	Mis-Type has used Windows API calls, including `NetUserAdd` and `NetUserDel`.^[1]
Enterprise	T1082		系统信息发现	The initial beacon packet for Mis-Type contains the operating system version and file system of the victim.^[1]
Enterprise	T1033		系统所有者/用户发现	Mis-Type runs tests to determine the privilege level of the compromised user.^[1]
Enterprise	T1016		系统网络配置发现	Mis-Type may create a file containing the results of the command `cmd.exe /c ipconfig /all`.^[1]
Enterprise	T1087	.001	账号发现: Local Account	Mis-Type may create a file containing the results of the command `cmd.exe /c net user {Username}`.^[1]
Enterprise	T1105		输入工具传输	Mis-Type has downloaded additional malware and files onto a compromised host.^[1]
Enterprise	T1055		进程注入	Mis-Type has been injected directly into a running process, including `explorer.exe`.^[1]
Enterprise	T1041		通过C2信道渗出	Mis-Type has transmitted collected files and data to its C2 server.^[1]
Enterprise	T1095		非应用层协议	Mis-Type network traffic can communicate over a raw socket.^[1]

Campaigns

ID	Name	Description
C0016	Operation Dust Storm	^[1]

References

Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.

Microsoft. (2011, January 12). Distributed Transaction Coordinator. Retrieved February 25, 2016.