G0105 DarkVishnya
DarkVishnya is a financially motivated threat actor targeting financial institutions in Eastern Europe. In 2017-2018 the group attacked at least 8 banks in this region.1
| Item | Value |
|---|---|
| ID | G0105 |
| Associated Names | |
| Version | 1.1 |
| Created | 15 May 2020 |
| Last Modified | 12 October 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1110 | Brute Force | DarkVishnya used brute-force attack to obtain login data.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | DarkVishnya used PowerShell to create shellcode loaders.1 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.003 | Windows Service | DarkVishnya created new services for shellcode loaders distribution.1 |
| enterprise | T1200 | Hardware Additions | DarkVishnya used Bash Bunny, Raspberry Pi, netbooks or inexpensive laptops to connect to the company’s local network.1 |
| enterprise | T1046 | Network Service Discovery | DarkVishnya performed port scanning to obtain the list of active services.1 |
| enterprise | T1135 | Network Share Discovery | DarkVishnya scanned the network for public shared folders.1 |
| enterprise | T1040 | Network Sniffing | DarkVishnya used network sniffing to obtain login data. 1 |
| enterprise | T1571 | Non-Standard Port | DarkVishnya used ports 5190 and 7900 for shellcode listeners, and 4444, 4445, 31337 for shellcode C2.1 |
| enterprise | T1588 | Obtain Capabilities | - |
| enterprise | T1588.002 | Tool | DarkVishnya has obtained and used tools such as Impacket, Winexe, and PsExec.1 |
| enterprise | T1219 | Remote Access Software | DarkVishnya used DameWare Mini Remote Control for lateral movement.1 |