DarkVishnya is a financially motivated threat actor targeting financial institutions in Eastern Europe. In 2017-2018 the group attacked at least 8 banks in this region.[1]
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1110 | Brute Force |
DarkVishnya used brute-force attack to obtain login data.[1] |
|
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
DarkVishnya used PowerShell to create shellcode loaders.[1] |
Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
DarkVishnya created new services for shellcode loaders distribution.[1] |
Enterprise | T1200 | Hardware Additions |
DarkVishnya used Bash Bunny, Raspberry Pi, netbooks or inexpensive laptops to connect to the company’s local network.[1] |
|
Enterprise | T1046 | Network Service Discovery |
DarkVishnya performed port scanning to obtain the list of active services.[1] |
|
Enterprise | T1135 | Network Share Discovery |
DarkVishnya scanned the network for public shared folders.[1] |
|
Enterprise | T1040 | Network Sniffing |
DarkVishnya used network sniffing to obtain login data. [1] |
|
Enterprise | T1571 | Non-Standard Port |
DarkVishnya used ports 5190 and 7900 for shellcode listeners, and 4444, 4445, 31337 for shellcode C2.[1] |
|
Enterprise | T1588 | .002 | Obtain Capabilities: Tool |
DarkVishnya has obtained and used tools such as Impacket, Winexe, and PsExec.[1] |
Enterprise | T1219 | Remote Access Software |
DarkVishnya used DameWare Mini Remote Control for lateral movement.[1] |