Skip to content

S0221 Umbreon

A Linux rootkit that provides backdoor access and hides from defenders.

Item Value
ID S0221
Associated Names
Type MALWARE
Version 1.1
Created 18 April 2018
Last Modified 01 July 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell Umbreon provides access using both standard facilities like SSH and additional access using its backdoor Espeon, providing a reverse shell upon receipt of a special packet1
enterprise T1095 Non-Application Layer Protocol Umbreon provides access to the system via SSH or any other protocol that uses PAM to authenticate.1
enterprise T1014 Rootkit Umbreon hides from defenders by hooking libc function calls, hiding artifacts that would reveal its presence, such as the user account it creates to provide access and undermining strace, a tool often used to identify malware.1
enterprise T1205 Traffic Signaling Umbreon provides additional access using its backdoor Espeon, providing a reverse shell upon receipt of a special packet.1
enterprise T1078 Valid Accounts -
enterprise T1078.003 Local Accounts Umbreon creates valid local users to provide access to the system.1

References

Back to top