Dipsind

Dipsind is a malware family of backdoors that appear to be used exclusively by PLATINUM. [1]

ID: S0200
Type: MALWARE
Contributors: Ryan Becwar

Platforms: Windows

Version: 1.0

Techniques Used

DomainIDNameUse
EnterpriseT1059Command-Line InterfaceDipsind can spawn remote shells.[1]
EnterpriseT1094Custom Command and Control ProtocolA Dipsind variant uses a C2 mechanism similar to port knocking that allows attackers to connect to a victim without leaving the connection open for more than a few sectonds.[1]
EnterpriseT1132Data EncodingDipsind encodes C2 traffic with base64.[1]
EnterpriseT1105Remote File CopyDipsind can download remote files.[1]
EnterpriseT1029Scheduled TransferDipsind can be configured to only run during normal working hours, which would make its communications harder to distinguish from normal traffic.[1]
EnterpriseT1071Standard Application Layer ProtocolDipsind uses HTTP for C2.[1]
EnterpriseT1032Standard Cryptographic ProtocolDipsind encrypts C2 data with AES256 in ECB mode.[1]
EnterpriseT1004Winlogon Helper DLLA Dipsind variant registers as a Winlogon Event Notify DLL to establish persistence.[1]

Groups

Groups that use this software:

PLATINUM

References