DUSTPAN

DUSTPAN is an in-memory dropper written in C/C++ used by APT41 since 2021 that decrypts and executes an embedded payload.^[1]^[2]

ID: S1158

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.0

Created: 16 September 2024

Last Modified: 21 September 2024

Techniques Used

Domain	ID		Name	Use
Enterprise	T1036	.005	伪装: Match Legitimate Name or Location	DUSTPAN is often disguised as a legitimate Windows binary such as `w3wp.exe` or `conn.exe`.^[1]
Enterprise	T1543	.003	创建或修改系统进程: Windows Service	DUSTPAN can persist as a Windows Service in operations.^[1]
Enterprise	T1140		反混淆/解码文件或信息	DUSTPAN decodes and decrypts embedded payloads.^[1]
Enterprise	T1027	.009	混淆文件或信息: Embedded Payloads	DUSTPAN decrypts and executes an embedded payload.^[1]^[2]
		.013	混淆文件或信息: Encrypted/Encoded File	DUSTPAN decrypts an embedded payload.^[1]^[2]
Enterprise	T1055	.002	进程注入: Portable Executable Injection	DUSTPAN can inject its decrypted payload into another process.^[1]

Groups That Use This Software

ID	Name	References
G0096	APT41	^[2]^[1]

Campaigns

ID	Name	Description
C0040	APT41 DUST	DUSTPAN was used during APT41 DUST.^[1]

References

Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024.

Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman & John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved September 16, 2024.