S0200 Dipsind
Dipsind is a malware family of backdoors that appear to be used exclusively by PLATINUM. 1
| Item | Value |
|---|---|
| ID | S0200 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 18 April 2018 |
| Last Modified | 30 March 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Dipsind uses HTTP for C2.1 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.004 | Winlogon Helper DLL | A Dipsind variant registers as a Winlogon Event Notify DLL to establish persistence.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | Dipsind can spawn remote shells.1 |
| enterprise | T1132 | Data Encoding | - |
| enterprise | T1132.001 | Standard Encoding | Dipsind encodes C2 traffic with base64.1 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | Dipsind encrypts C2 data with AES256 in ECB mode.1 |
| enterprise | T1105 | Ingress Tool Transfer | Dipsind can download remote files.1 |
| enterprise | T1029 | Scheduled Transfer | Dipsind can be configured to only run during normal working hours, which would make its communications harder to distinguish from normal traffic.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0068 | PLATINUM | 1 |