S0211 Linfo
Linfo is a rootkit trojan used by Elderwood to open a backdoor on compromised hosts. 1 2
| Item | Value |
|---|---|
| ID | S0211 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 18 April 2018 |
| Last Modified | 06 January 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | Linfo creates a backdoor through which remote attackers can start a remote shell.2 |
| enterprise | T1005 | Data from Local System | Linfo creates a backdoor through which remote attackers can obtain data from local systems.2 |
| enterprise | T1008 | Fallback Channels | Linfo creates a backdoor through which remote attackers can change C2 servers.2 |
| enterprise | T1083 | File and Directory Discovery | Linfo creates a backdoor through which remote attackers can list contents of drives and search for files.2 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | Linfo creates a backdoor through which remote attackers can delete files.2 |
| enterprise | T1105 | Ingress Tool Transfer | Linfo creates a backdoor through which remote attackers can download files onto compromised hosts.2 |
| enterprise | T1057 | Process Discovery | Linfo creates a backdoor through which remote attackers can retrieve a list of running processes.2 |
| enterprise | T1029 | Scheduled Transfer | Linfo creates a backdoor through which remote attackers can change the frequency at which compromised hosts contact remote C2 infrastructure.2 |
| enterprise | T1082 | System Information Discovery | Linfo creates a backdoor through which remote attackers can retrieve system information.2 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0066 | Elderwood | 1 |