Skip to content

S0211 Linfo

Linfo is a rootkit trojan used by Elderwood to open a backdoor on compromised hosts. 1 2

Item Value
ID S0211
Associated Names
Type MALWARE
Version 1.1
Created 18 April 2018
Last Modified 06 January 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell Linfo creates a backdoor through which remote attackers can start a remote shell.2
enterprise T1005 Data from Local System Linfo creates a backdoor through which remote attackers can obtain data from local systems.2
enterprise T1008 Fallback Channels Linfo creates a backdoor through which remote attackers can change C2 servers.2
enterprise T1083 File and Directory Discovery Linfo creates a backdoor through which remote attackers can list contents of drives and search for files.2
enterprise T1070 Indicator Removal on Host -
enterprise T1070.004 File Deletion Linfo creates a backdoor through which remote attackers can delete files.2
enterprise T1105 Ingress Tool Transfer Linfo creates a backdoor through which remote attackers can download files onto compromised hosts.2
enterprise T1057 Process Discovery Linfo creates a backdoor through which remote attackers can retrieve a list of running processes.2
enterprise T1029 Scheduled Transfer Linfo creates a backdoor through which remote attackers can change the frequency at which compromised hosts contact remote C2 infrastructure.2
enterprise T1082 System Information Discovery Linfo creates a backdoor through which remote attackers can retrieve system information.2

Groups That Use This Software

ID Name References
G0066 Elderwood 1

References

Back to top