JUST RELEASED: ATT&CK for Industrial Control Systems


Dipsind is a malware family of backdoors that appear to be used exclusively by PLATINUM. [1]

ID: S0200
Platforms: Windows
Contributors: Ryan Becwar
Version: 1.0
Created: 18 April 2018
Last Modified: 17 October 2018

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface

Dipsind can spawn remote shells.[1]

Enterprise T1094 Custom Command and Control Protocol

A Dipsind variant uses a C2 mechanism similar to port knocking that allows attackers to connect to a victim without leaving the connection open for more than a few sectonds.[1]

Enterprise T1132 Data Encoding

Dipsind encodes C2 traffic with base64.[1]

Enterprise T1105 Remote File Copy

Dipsind can download remote files.[1]

Enterprise T1029 Scheduled Transfer

Dipsind can be configured to only run during normal working hours, which would make its communications harder to distinguish from normal traffic.[1]

Enterprise T1071 Standard Application Layer Protocol

Dipsind uses HTTP for C2.[1]

Enterprise T1032 Standard Cryptographic Protocol

Dipsind encrypts C2 data with AES256 in ECB mode.[1]

Enterprise T1004 Winlogon Helper DLL

A Dipsind variant registers as a Winlogon Event Notify DLL to establish persistence.[1]

Groups That Use This Software

ID Name References
G0068 PLATINUM [1]