Skip to content

S0200 Dipsind

Dipsind is a malware family of backdoors that appear to be used exclusively by PLATINUM. 1

Item Value
ID S0200
Associated Names
Type MALWARE
Version 1.1
Created 18 April 2018
Last Modified 30 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Dipsind uses HTTP for C2.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.004 Winlogon Helper DLL A Dipsind variant registers as a Winlogon Event Notify DLL to establish persistence.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell Dipsind can spawn remote shells.1
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding Dipsind encodes C2 traffic with base64.1
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography Dipsind encrypts C2 data with AES256 in ECB mode.1
enterprise T1105 Ingress Tool Transfer Dipsind can download remote files.1
enterprise T1029 Scheduled Transfer Dipsind can be configured to only run during normal working hours, which would make its communications harder to distinguish from normal traffic.1

Groups That Use This Software

ID Name References
G0068 PLATINUM 1

References