1. Home
  2. Software
  3. S-Type

S-Type

S-Type is a backdoor that was used in Operation Dust Storm since at least 2013.[1]

ID: S0085
Type: MALWARE
Platforms: Windows
Version: 1.3
Created: 31 May 2017
Last Modified: 10 March 2023
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1036 .005 伪装: Match Legitimate Name or Location

S-Type may save itself as a file named msdtc.exe, which is also the name of the legitimate Microsoft Distributed Transaction Coordinator service binary.[1][2]
Enterprise T1136 .001 创建账户: Local Account

S-Type may create a temporary user on the system named Lost_{Unique Identifier} with the password pond~!@6"{Unique Identifier}.[1]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

S-Type may create a .lnk file to itself that is saved in the Start menu folder. It may also create the Registry key HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ IMJPMIJ8.1{3 characters of Unique Identifier}.[1]
.009 启动或登录自动启动执行: Shortcut Modification

S-Type may create the file %HOMEPATH%\Start Menu\Programs\Startup\Realtek {Unique Identifier}.lnk, which points to the malicious msdtc.exe file already created in the %CommonFiles% directory.[1]
Enterprise T1059 .003 命令与脚本解释器: Windows Command Shell

S-Type has provided the ability to execute shell commands on a compromised host.[1]
Enterprise T1008 回退信道

S-Type primarily uses port 80 for C2, but falls back to ports 443 or 8080 if initial communication fails.[1]
Enterprise T1071 .001 应用层协议: Web Protocols

S-Type uses HTTP for C2.[1]
Enterprise T1132 .001 数据编码: Standard Encoding

S-Type uses Base64 encoding for C2 traffic.[1]
Enterprise T1106 本机API

S-Type has used Windows APIs, including GetKeyboardType, NetUserAdd, and NetUserDel.[1]
Enterprise T1027 .002 混淆文件或信息: Software Packing

Some S-Type samples have been packed with UPX.[1]
Enterprise T1070 .004 移除指标: File Deletion

S-Type has deleted files it has created on a compromised host.[1]
.009 移除指标: Clear Persistence

S-Type has deleted accounts it has created.[1]
Enterprise T1614 .001 系统位置发现: System Language Discovery

S-Type has attempted to determine if a compromised system was using a Japanese keyboard via the GetKeyboardType API call.[1]
Enterprise T1082 系统信息发现

The initial beacon packet for S-Type contains the operating system version and file system of the victim.[1]
Enterprise T1033 系统所有者/用户发现

S-Type has run tests to determine the privilege level of the compromised user.[1]
Enterprise T1007 系统服务发现

S-Type runs the command net start on a victim.[1]
Enterprise T1016 系统网络配置发现

S-Type has used ipconfig /all on a compromised host.[1]
Enterprise T1087 .001 账号发现: Local Account

S-Type has run the command net user on a victim.[1]
Enterprise T1105 输入工具传输

S-Type can download additional files onto a compromised host.[1]
Enterprise T1041 通过C2信道渗出

S-Type has uploaded data and files from a compromised host to its C2 servers.[1]

Campaigns

ID Name Description
C0016 Operation Dust Storm

[1]

References

  1. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.
  1. Microsoft. (2011, January 12). Distributed Transaction Coordinator. Retrieved February 25, 2016.