Skip to content

G0105 DarkVishnya

DarkVishnya is a financially motivated threat actor targeting financial institutions in Eastern Europe. In 2017-2018 the group attacked at least 8 banks in this region.1

Item Value
ID G0105
Associated Names
Version 1.1
Created 15 May 2020
Last Modified 12 October 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1110 Brute Force DarkVishnya used brute-force attack to obtain login data.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell DarkVishnya used PowerShell to create shellcode loaders.1
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service DarkVishnya created new services for shellcode loaders distribution.1
enterprise T1200 Hardware Additions DarkVishnya used Bash Bunny, Raspberry Pi, netbooks or inexpensive laptops to connect to the company’s local network.1
enterprise T1046 Network Service Discovery DarkVishnya performed port scanning to obtain the list of active services.1
enterprise T1135 Network Share Discovery DarkVishnya scanned the network for public shared folders.1
enterprise T1040 Network Sniffing DarkVishnya used network sniffing to obtain login data. 1
enterprise T1571 Non-Standard Port DarkVishnya used ports 5190 and 7900 for shellcode listeners, and 4444, 4445, 31337 for shellcode C2.1
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool DarkVishnya has obtained and used tools such as Impacket, Winexe, and PsExec.1
enterprise T1219 Remote Access Software DarkVishnya used DameWare Mini Remote Control for lateral movement.1

Software

ID Name References Techniques
S0029 PsExec 1 Domain Account:Create Account Windows Service:Create or Modify System Process Lateral Tool Transfer SMB/Windows Admin Shares:Remote Services Service Execution:System Services
S0191 Winexe 1 Service Execution:System Services

References