Skip to content

S0401 Exaramel for Linux

Exaramel for Linux is a backdoor written in the Go Programming Language and compiled as a 64-bit ELF binary. The Windows version is tracked separately under Exaramel for Windows.1

Item Value
ID S0401
Associated Names
Type MALWARE
Version 1.2
Created 26 August 2019
Last Modified 14 April 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1548 Abuse Elevation Control Mechanism -
enterprise T1548.001 Setuid and Setgid Exaramel for Linux can execute commands with high privileges via a specific binary with setuid functionality.2
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Exaramel for Linux uses HTTPS for C2 communications.12
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.004 Unix Shell Exaramel for Linux has a command to execute a shell command on the system.12
enterprise T1543 Create or Modify System Process Exaramel for Linux has a hardcoded location that it uses to achieve persistence if the startup system is Upstart or System V and it is running as root.2
enterprise T1543.002 Systemd Service Exaramel for Linux has a hardcoded location under systemd that it uses to achieve persistence if it is running as root.12
enterprise T1140 Deobfuscate/Decode Files or Information Exaramel for Linux can decrypt its configuration file.2
enterprise T1008 Fallback Channels Exaramel for Linux can attempt to find a new C2 server if it receives an error.2
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion Exaramel for Linux can uninstall its persistence mechanism and delete its configuration file.2
enterprise T1105 Ingress Tool Transfer Exaramel for Linux has a command to download a file from and to a remote C2 server.12
enterprise T1027 Obfuscated Files or Information Exaramel for Linux uses RC4 for encrypting the configuration.12
enterprise T1053 Scheduled Task/Job -
enterprise T1053.003 Cron Exaramel for Linux uses crontab for persistence if it does not have root privileges.12
enterprise T1033 System Owner/User Discovery Exaramel for Linux can run whoami to identify the system owner.2

Groups That Use This Software

ID Name References
G0034 Sandworm Team 12

References

  1. Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018. 

  2. ANSSI. (2021, January 27). SANDWORM INTRUSION SET CAMPAIGN TARGETING CENTREON SYSTEMS. Retrieved March 30, 2021.