DarkVishnya

DarkVishnya is a financially motivated threat actor targeting financial institutions in Eastern Europe. In 2017-2018 the group attacked at least 8 banks in this region.[1]

ID: G0105
Version: 1.1
Created: 15 May 2020
Last Modified: 12 October 2021

Techniques Used

Domain ID Name Use
Enterprise T1110 Brute Force

DarkVishnya used brute-force attack to obtain login data.[1]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

DarkVishnya used PowerShell to create shellcode loaders.[1]

Enterprise T1543 .003 Create or Modify System Process: Windows Service

DarkVishnya created new services for shellcode loaders distribution.[1]

Enterprise T1200 Hardware Additions

DarkVishnya used Bash Bunny, Raspberry Pi, netbooks or inexpensive laptops to connect to the company’s local network.[1]

Enterprise T1046 Network Service Scanning

DarkVishnya performed port scanning to obtain the list of active services.[1]

Enterprise T1135 Network Share Discovery

DarkVishnya scanned the network for public shared folders.[1]

Enterprise T1040 Network Sniffing

DarkVishnya used network sniffing to obtain login data. [1]

Enterprise T1571 Non-Standard Port

DarkVishnya used ports 5190 and 7900 for shellcode listeners, and 4444, 4445, 31337 for shellcode C2.[1]

Enterprise T1588 .002 Obtain Capabilities: Tool

DarkVishnya has obtained and used tools such as Impacket, Winexe, and PsExec.[1]

Enterprise T1219 Remote Access Software

DarkVishnya used DameWare Mini Remote Control for lateral movement.[1]

Software

ID Name References Techniques
S0029 PsExec [1] Create Account: Domain Account, Create or Modify System Process: Windows Service, Lateral Tool Transfer, Remote Services: SMB/Windows Admin Shares, System Services: Service Execution
S0191 Winexe [1] System Services: Service Execution

References