DarkVishnya
DarkVishnya is a financially motivated threat actor targeting financial institutions in Eastern Europe. In 2017-2018 the group attacked at least 8 banks in this region.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1110 | Brute Force | DarkVishnya used brute-force attack to obtain login data.[1] | |
| Enterprise | T1059 | .001 | Command and Scripting Interpreter:PowerShell | DarkVishnya used PowerShell to create shellcode loaders.[1] |
| Enterprise | T1543 | .003 | Create or Modify System Process:Windows Service | DarkVishnya created new services for shellcode loaders distribution.[1] |
| Enterprise | T1200 | Hardware Additions | DarkVishnya physically connected Bash Bunny, Raspberry Pi, netbooks, and inexpensive laptops to the target organization's environment to access the company’s local network.[1] | |
| Enterprise | T1046 | Network Service Discovery | DarkVishnya performed port scanning to obtain the list of active services.[1] | |
| Enterprise | T1135 | Network Share Discovery | DarkVishnya scanned the network for public shared folders.[1] | |
| Enterprise | T1040 | Network Sniffing | DarkVishnya used network sniffing to obtain login data.[1] | |
| Enterprise | T1571 | Non-Standard Port | DarkVishnya used ports 5190 and 7900 for shellcode listeners, and 4444, 4445, 31337 for shellcode C2.[1] | |
| Enterprise | T1588 | .002 | Obtain Capabilities:Tool | DarkVishnya has obtained and used tools such asImpacket,Winexe, andPsExec.[1] |
| Enterprise | T1219 | Remote Access Tools | DarkVishnya used DameWare Mini Remote Control for lateral movement.[1] | |