ATT&CKcon 5.0 returns October 22-23, 2024 in McLean, VA. Register for in-person participation here. Stay tuned for virtual registration!

Mis-Type

Mis-Type is a backdoor hybrid that was used in Operation Dust Storm by 2012.^[1]

ID: S0084

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.2

Created: 31 May 2017

Last Modified: 30 September 2022

Techniques Used

Domain	ID		Name	Use
Enterprise	T1087	.001	Account Discovery: Local Account	Mis-Type may create a file containing the results of the command `cmd.exe /c net user {Username}`.^[1]
Enterprise	T1071	.001	Application Layer Protocol: Web Protocols	Mis-Type network traffic can communicate over HTTP.^[1]
Enterprise	T1547		Boot or Logon Autostart Execution	Mis-Type has created registry keys for persistence, including `HKCU\Software\bkfouerioyou`, `HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{6afa8072-b2b1-31a8-b5c1-{Unique Identifier}`, and `HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{3BF41072-B2B1-31A8-B5C1-{Unique Identifier}`.^[1]
Enterprise	T1059	.003	Command and Scripting Interpreter: Windows Command Shell	Mis-Type has used `cmd.exe` to run commands on a compromised host.^[1]
Enterprise	T1136	.001	Create Account: Local Account	Mis-Type may create a temporary user on the system named `Lost_{Unique Identifier}`.^[1]
Enterprise	T1132	.001	Data Encoding: Standard Encoding	Mis-Type uses Base64 encoding for C2 traffic.^[1]
Enterprise	T1005		Data from Local System	Mis-Type has collected files and data from a compromised host.^[1]
Enterprise	T1074	.001	Data Staged: Local Data Staging	Mis-Type has temporarily stored collected information to the files `"%AppData%\{Unique Identifier}\HOSTRURKLSR"` and `"%AppData%\{Unique Identifier}\NEWERSSEMP"`.^[1]
Enterprise	T1041		Exfiltration Over C2 Channel	Mis-Type has transmitted collected files and data to its C2 server.^[1]
Enterprise	T1008		Fallback Channels	Mis-Type first attempts to use a Base64-encoded network protocol over a raw TCP socket for C2, and if that method fails, falls back to a secondary HTTP-based protocol to communicate to an alternate C2 server.^[1]
Enterprise	T1105		Ingress Tool Transfer	Mis-Type has downloaded additional malware and files onto a compromised host.^[1]
Enterprise	T1036	.005	Masquerading: Match Legitimate Name or Location	Mis-Type saves itself as a file named `msdtc.exe`, which is also the name of the legitimate Microsoft Distributed Transaction Coordinator service binary.^[1]^[2]
Enterprise	T1106		Native API	Mis-Type has used Windows API calls, including `NetUserAdd` and `NetUserDel`.^[1]
Enterprise	T1095		Non-Application Layer Protocol	Mis-Type network traffic can communicate over a raw socket.^[1]
Enterprise	T1055		Process Injection	Mis-Type has been injected directly into a running process, including `explorer.exe`.^[1]
Enterprise	T1082		System Information Discovery	The initial beacon packet for Mis-Type contains the operating system version and file system of the victim.^[1]
Enterprise	T1016		System Network Configuration Discovery	Mis-Type may create a file containing the results of the command `cmd.exe /c ipconfig /all`.^[1]
Enterprise	T1033		System Owner/User Discovery	Mis-Type runs tests to determine the privilege level of the compromised user.^[1]

Campaigns

ID	Name	Description
C0016	Operation Dust Storm	^[1]

References

Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.

Microsoft. (2011, January 12). Distributed Transaction Coordinator. Retrieved February 25, 2016.