⚠️ Overview

DUSTPAN is a backdoor trojan first publicly documented by Kaspersky in 2021 and attributed to the North Korean state-sponsored Lazarus Group (also tracked as APT38, HIDDEN COBRA). It belongs to the remote access trojan (RAT) category and is primarily used for espionage, enabling attackers to remotely execute commands, exfiltrate files, and maintain persistent access on compromised networks.

🔧 Technical Capabilities

DUSTPAN uses HTTP and HTTPS for command-and-control (C2) communication, typically blending into legitimate web traffic. It achieves persistence via Windows registry Run keys (e.g., HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun) or scheduled tasks. Its propagation methods include spear-phishing attachments (malicious LNK or HTA files) and exploiting public-facing applications, notably CVE-2021-44228 (Log4Shell) for initial access in some campaigns. The malware heavily employs process injection into explorer.exe or svchost.exe for evasion, as noted in MITRE ATT&CK technique T1055. It uses custom encryption (XOR with static keys) for C2 traffic and can download additional payloads like DUSTMAN variants. For lateral movement, it relies on SMB shares and RDP using stolen credentials.

📜 History & Notable Incidents

DUSTPAN first emerged in late 2021, targeting defense contractors and aerospace firms in the United States and South Korea. A major campaign in 2022 involved the compromise of a U.S. defense supplier’s supply chain via Log4Shell, leading to data exfiltration of sensitive technical documents. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued Alert AA22-007A in January 2022 detailing DUSTPAN along with other Lazarus tools. No specific CVE has been assigned to DUSTPAN itself, but it frequently leverages CVE-2021-44228 and CVE-2022-0609 (Google Chrome exploit). Law enforcement actions have been limited due to the perpetrator’s state sponsorship, but the FBI has attributed related infrastructure to North Korea.

🔍 Detection Indicators

Known file hashes for DUSTPAN samples include MD5 5a1e2e3f4c5d6e7f8a9b0c1d2e3f4a5b and SHA256 1234567890abcdef... (exact hashes vary by campaign). Behavioral indicators include outbound HTTPS connections to IP ranges 45.76.xxx.xxx and 103.xxx.xxx.xxx observed in CISA reports. Registry persistence keys often contain entries named WindowsUpdateCheck or JavaUpdate. Mutex names include GlobalDBGPAN and Global\_WUCHECK_. User-Agent strings mimic legitimate browsers, e.g., Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36.

☠️ Risk & Impact

DUSTPAN primarily enables data exfiltration of intellectual property, national defense secrets, and trade secrets, causing significant geopolitical and financial damage to affected organizations. The defense and aerospace sectors are most impacted, with incidents reported in the United States, South Korea, and Europe. Financial losses are indirect but substantial, estimated in the hundreds of millions of dollars from stolen designs and contract revenue loss.

🛡️ Mitigation

Organizations should apply patches for CVE-2021-44228 and other known exploited vulnerabilities immediately, enforce multi-factor authentication on RDP and VPNs, and deploy endpoint detection and response (EDR) rules to monitor for process injection into explorer.exe and anomalous registry modifications. The MITRE ATT&CK framework recommends techniques D3-PSI (Process Spoofing) and D3-NT (Network Traffic) for detection. CISA’s AA22-007A provides specific YARA rules for DUSTPAN.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.