Skip to content

S0410 Fysbis

Fysbis is a Linux-based backdoor used by APT28 that dates back to at least 2014.1

Item Value
ID S0410
Associated Names
Version 1.2
Created 12 September 2019
Last Modified 06 November 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.013 XDG Autostart Entries Fysbis has installed itself as an autostart entry under ~/.config/autostart/dbus-inotifier.desktop to establish persistence.2
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.004 Unix Shell Fysbis has the ability to create and execute commands in a remote shell for CLI.1
enterprise T1543 Create or Modify System Process -
enterprise T1543.002 Systemd Service Fysbis has established persistence using a systemd service.2
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding Fysbis can use Base64 to encode its C2 traffic.2
enterprise T1083 File and Directory Discovery Fysbis has the ability to search for files.2
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion Fysbis has the ability to delete files.2
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging Fysbis can perform keylogging.1
enterprise T1036 Masquerading -
enterprise T1036.004 Masquerade Task or Service Fysbis has masqueraded as the rsyncd and dbus-inotifier services.2
enterprise T1036.005 Match Legitimate Name or Location Fysbis has masqueraded as trusted software rsyncd and dbus-inotifier.2
enterprise T1027 Obfuscated Files or Information Fysbis has been encrypted using XOR and RC4.2
enterprise T1057 Process Discovery Fysbis can collect information about running processes.2
enterprise T1082 System Information Discovery Fysbis has used the command ls /etc

Groups That Use This Software

ID Name References
G0007 APT28 1