Check out the results from our first round of ATT&CK Evaluations at attackevals.mitre.org!

Dipsind

Dipsind is a malware family of backdoors that appear to be used exclusively by PLATINUM. [1]

ID: S0200
Aliases: Dipsind
Type: MALWARE
Contributors: Ryan Becwar

Platforms: Windows

Version: 1.0

Alias Descriptions

NameDescription
Dipsind[1]

Techniques Used

DomainIDNameUse
EnterpriseT1059Command-Line InterfaceDipsind can spawn remote shells.[1]
EnterpriseT1094Custom Command and Control ProtocolA Dipsind variant uses a C2 mechanism similar to port knocking that allows attackers to connect to a victim without leaving the connection open for more than a few sectonds.[1]
EnterpriseT1132Data EncodingDipsind encodes C2 traffic with base64.[1]
EnterpriseT1105Remote File CopyDipsind can download remote files.[1]
EnterpriseT1029Scheduled TransferDipsind can be configured to only run during normal working hours, which would make its communications harder to distinguish from normal traffic.[1]
EnterpriseT1071Standard Application Layer ProtocolDipsind uses HTTP for C2.[1]
EnterpriseT1032Standard Cryptographic ProtocolDipsind encrypts C2 data with AES256 in ECB mode.[1]
EnterpriseT1004Winlogon Helper DLLA Dipsind variant registers as a Winlogon Event Notify DLL to establish persistence.[1]

Groups

Groups that use this software:

PLATINUM

References