Dipsind is a malware family of backdoors that appear to be used exclusively by PLATINUM. [1]

ID: S0200
Platforms: Windows
Contributors: Ryan Becwar
Version: 1.1
Created: 18 April 2018
Last Modified: 30 March 2020

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Dipsind uses HTTP for C2.[1]

Enterprise T1547 .004 Boot or Logon Autostart Execution: Winlogon Helper DLL

A Dipsind variant registers as a Winlogon Event Notify DLL to establish persistence.[1]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Dipsind can spawn remote shells.[1]

Enterprise T1132 .001 Data Encoding: Standard Encoding

Dipsind encodes C2 traffic with base64.[1]

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Dipsind encrypts C2 data with AES256 in ECB mode.[1]

Enterprise T1105 Ingress Tool Transfer

Dipsind can download remote files.[1]

Enterprise T1029 Scheduled Transfer

Dipsind can be configured to only run during normal working hours, which would make its communications harder to distinguish from normal traffic.[1]

Groups That Use This Software

ID Name References