Skip to content

S0021 Derusbi

Derusbi is malware used by multiple Chinese APT groups.34 Both Windows and Linux variants have been observed.1

Item Value
ID S0021
Associated Names PHOTO
Version 1.2
Created 31 May 2017
Last Modified 15 April 2022
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description

Techniques Used

Domain ID Name Use
enterprise T1123 Audio Capture Derusbi is capable of performing audio captures.2
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.004 Unix Shell Derusbi is capable of creating a remote Bash shell and executing commands.12
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography Derusbi obfuscates C2 traffic with variable 4-byte XOR keys.1
enterprise T1008 Fallback Channels Derusbi uses a backup communication method with an HTTP beacon.1
enterprise T1083 File and Directory Discovery Derusbi is capable of obtaining directory, file, and drive listings.12
enterprise T1070 Indicator Removal on Host -
enterprise T1070.004 File Deletion Derusbi is capable of deleting files. It has been observed loading a Linux Kernel Module (LKM) and then deleting it from the hard disk as well as overwriting the data with null bytes.12
enterprise T1070.006 Timestomp The Derusbi malware supports timestomping.31
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging Derusbi is capable of logging keystrokes.2
enterprise T1095 Non-Application Layer Protocol Derusbi binds to a raw socket on a random source port between 31800 and 31900 for C2.1
enterprise T1571 Non-Standard Port Derusbi has used unencrypted HTTP on port 443 for C2.1
enterprise T1057 Process Discovery Derusbi collects current and parent process IDs.12
enterprise T1055 Process Injection -
enterprise T1055.001 Dynamic-link Library Injection Derusbi injects itself into the secure shell (SSH) process.6
enterprise T1012 Query Registry Derusbi is capable of enumerating Registry keys and values.2
enterprise T1113 Screen Capture Derusbi is capable of performing screen captures.2
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.010 Regsvr32 Derusbi variants have been seen that use Registry persistence to proxy execution through regsvr32.exe.5
enterprise T1082 System Information Discovery Derusbi gathers the name of the local host, version of GNU Compiler Collection (GCC), and the system information about the CPU, machine, and operating system.1
enterprise T1033 System Owner/User Discovery A Linux version of Derusbi checks if the victim user ID is anything other than zero (normally used for root), and the malware will not execute if it does not have root privileges. Derusbi also gathers the username of the victim.1
enterprise T1125 Video Capture Derusbi is capable of capturing video.2

Groups That Use This Software

ID Name References
G0009 Deep Panda 4
G0065 Leviathan 27
G0096 APT41 8
G0001 Axiom 39


Back to top