Register to stream ATT&CKcon 2.0 October 29-30

Dipsind

Dipsind is a malware family of backdoors that appear to be used exclusively by PLATINUM. [1]

ID: S0200
Type: MALWARE
Platforms: Windows
Contributors: Ryan Becwar
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface Dipsind can spawn remote shells. [1]
Enterprise T1094 Custom Command and Control Protocol A Dipsind variant uses a C2 mechanism similar to port knocking that allows attackers to connect to a victim without leaving the connection open for more than a few sectonds. [1]
Enterprise T1132 Data Encoding Dipsind encodes C2 traffic with base64. [1]
Enterprise T1105 Remote File Copy Dipsind can download remote files. [1]
Enterprise T1029 Scheduled Transfer Dipsind can be configured to only run during normal working hours, which would make its communications harder to distinguish from normal traffic. [1]
Enterprise T1071 Standard Application Layer Protocol Dipsind uses HTTP for C2. [1]
Enterprise T1032 Standard Cryptographic Protocol Dipsind encrypts C2 data with AES256 in ECB mode. [1]
Enterprise T1004 Winlogon Helper DLL A Dipsind variant registers as a Winlogon Event Notify DLL to establish persistence. [1]

Groups That Use This Software

ID Name References
G0068 PLATINUM [1]

References