Skip to content

G0124 Windigo

The Windigo group has been operating since at least 2011, compromising thousands of Linux and Unix servers using the Ebury SSH backdoor to create a spam botnet. Despite law enforcement intervention against the creators, Windigo operators continued updating Ebury through 2019.12

Item Value
ID G0124
Associated Names
Version 1.0
Created 10 February 2021
Last Modified 26 April 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter Windigo has used a Perl script for information gathering.3
enterprise T1005 Data from Local System Windigo has used a script to gather credentials in files left on disk by OpenSSH backdoors.3
enterprise T1189 Drive-by Compromise Windigo has distributed Windows malware via drive-by downloads.1
enterprise T1083 File and Directory Discovery Windigo has used a script to check for the presence of files created by OpenSSH backdoors.3
enterprise T1090 Proxy Windigo has delivered a generic Windows proxy Win32/Glubteta.M. Windigo has also used multiple reverse proxy chains as part of their C2 infrastructure.1
enterprise T1518 Software Discovery Windigo has used a script to detect installed software on targeted systems.3
enterprise T1082 System Information Discovery Windigo has used a script to detect which Linux distribution and version is currently installed on the system.3

Software

ID Name References Techniques
S0377 Ebury 4 DNS:Application Layer Protocol Automated Exfiltration Python:Command and Scripting Interpreter Compromise Client Software Binary Standard Encoding:Data Encoding Deobfuscate/Decode Files or Information Domain Generation Algorithms:Dynamic Resolution Symmetric Cryptography:Encrypted Channel Exfiltration Over C2 Channel Fallback Channels File and Directory Discovery Dynamic Linker Hijacking:Hijack Execution Flow Disable or Modify Tools:Impair Defenses Indicator Blocking:Impair Defenses Modify Authentication Process Pluggable Authentication Modules:Modify Authentication Process Obfuscated Files or Information Rootkit Code Signing:Subvert Trust Controls Private Keys:Unsecured Credentials

References

  1. Bilodeau, O., Bureau, M., Calvet, J., Dorais-Joncas, A., Léveillé, M., Vanheuverzwijn, B. (2014, March 18). Operation Windigo – the vivisection of a large Linux server‑side credential‑stealing malware campaign. Retrieved February 10, 2021. 

  2. CERN. (2019, June 4). 2019/06/04 Advisory: Windigo attacks. Retrieved February 10, 2021. 

  3. Dumont, R., M.Léveillé, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020. 

  4. Vachon, F. (2017, October 30). Windigo Still not Windigone: An Ebury Update . Retrieved February 10, 2021.