DarkVishnya
DarkVishnya is a financially motivated threat actor targeting financial institutions in Eastern Europe. In 2017-2018 the group attacked at least 8 banks in this region.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1543 | .003 | 创建或修改系统进程: Windows Service |
DarkVishnya created new services for shellcode loaders distribution.[1] |
| Enterprise | T1059 | .001 | 命令与脚本解释器: PowerShell |
DarkVishnya used PowerShell to create shellcode loaders.[1] |
| Enterprise | T1110 | 暴力破解 |
DarkVishnya used brute-force attack to obtain login data.[1] |
|
| Enterprise | T1200 | 硬件附加 |
DarkVishnya used Bash Bunny, Raspberry Pi, netbooks or inexpensive laptops to connect to the company’s local network.[1] |
|
| Enterprise | T1135 | 网络共享发现 |
DarkVishnya scanned the network for public shared folders.[1] |
|
| Enterprise | T1040 | 网络嗅探 |
DarkVishnya used network sniffing to obtain login data. [1] |
|
| Enterprise | T1046 | 网络服务发现 |
DarkVishnya performed port scanning to obtain the list of active services.[1] |
|
| Enterprise | T1588 | .002 | 获取能力: Tool |
DarkVishnya has obtained and used tools such as Impacket, Winexe, and PsExec.[1] |
| Enterprise | T1219 | 远程访问软件 |
DarkVishnya used DameWare Mini Remote Control for lateral movement.[1] |
|
| Enterprise | T1571 | 非标准端口 |
DarkVishnya used ports 5190 and 7900 for shellcode listeners, and 4444, 4445, 31337 for shellcode C2.[1] |
|
Software
| ID | Name | References | Techniques |
|---|---|---|---|
| S0029 | PsExec | [1] | 创建或修改系统进程: Windows Service, 创建账户: Domain Account, 横向工具传输, 系统服务: Service Execution, 远程服务: SMB/Windows Admin Shares |
| S0191 | Winexe | [1] | 系统服务: Service Execution |