Open Hunting - Threat Library

Openhunting Threat Library

RedSalt

RedSalt, Dipsind

(Type: Backdoor)

Dipsind is a malware family of backdoors that appear to be used exclusively by PLATINUM.

[News Analysis] Trends:

Total Trend: 0

Trend Per Year

Trend Per Month

[News Analysis] News Mention Another Threat Name:

[TTP Analysis] Technique Performance:

reconnaissance

0/43

resource development

0/45

initial access

0/19

execution

1/36

persistence

1/113

privilege escalation

1/96

defense evasion

0/184

credential access

0/63

discovery

0/44

lateral movement

0/22

collection

0/37

command and control

4/39

exfiltration

1/18

impact

0/26

[TTP Analysis] Mitre Attack Matrix:

TA0043	TA0042	TA0001	TA0002	TA0003	TA0004	TA0005	TA0006	TA0007	TA0008	TA0009	TA0011	TA0010	TA0040
Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
			T1059.003 Command And Scripting Interpreter : Windows Command Shell	T1547.004 Boot Or Logon Autostart Execution : Winlogon Helper Dll	T1547.004 Boot Or Logon Autostart Execution : Winlogon Helper Dll						T1071.001 Application Layer Protocol : Web Protocols T1132.001 Data Encoding : Standard Encoding T1573.001 Encrypted Channel : Symmetric Cryptography T1105 Ingress Tool Transfer	T1029 Scheduled Transfer

[Infrastructure Analysis] Based on Related IOC:

IP:Port	Timestamp

Domain	Timestamp

URL	Timestamp

[Target Analysis] Region/Sector:

No information

References:

News Basic Information Indicator of Compromise Mitre Attack

Basic Information (Credit @etda.or.th)

Tool: RedSalt

Names: RedSalt, Dipsind

Description: Dipsind is a malware family of backdoors that appear to be used exclusively by PLATINUM.

Category: Malware

Type: Backdoor

Information: https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s01-hunting-for-platinum.pdf

Mitre-attack: https://attack.mitre.org/software/S0200/

Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/win.redsalt

Last-card-change: 2020-04-22

Source: https://apt.etda.or.th/cgi-bin/listtools.cgi

TTP Info (Credit @Mitre)

TA0043	TA0042	TA0001	TA0002	TA0003	TA0004	TA0005	TA0006	TA0007	TA0008	TA0009	TA0011	TA0010	TA0040
Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
			T1059.003 COMMAND AND SCRIPTING INTERPRETER : WINDOWS COMMAND SHELL dipsind can spawn remote shells.	T1547.004 BOOT OR LOGON AUTOSTART EXECUTION : WINLOGON HELPER DLL a dipsind variant registers as a winlogon event notify dll to establish persistence.	T1547.004 BOOT OR LOGON AUTOSTART EXECUTION : WINLOGON HELPER DLL a dipsind variant registers as a winlogon event notify dll to establish persistence.						T1071.001 APPLICATION LAYER PROTOCOL : WEB PROTOCOLS dipsind uses http for c2. T1132.001 DATA ENCODING : STANDARD ENCODING dipsind encodes c2 traffic with base64. T1573.001 ENCRYPTED CHANNEL : SYMMETRIC CRYPTOGRAPHY dipsind encrypts c2 data with aes256 in ecb mode. T1105 INGRESS TOOL TRANSFER dipsind can download remote files.	T1029 SCHEDULED TRANSFER dipsind can be configured to only run during normal working hours, which would make its communications harder to distinguish from normal traffic.