S0410 Fysbis

Fysbis is a Linux-based backdoor used by APT28 that dates back to at least 2014.¹

Techniques Used

Domain	ID	Name	Use
enterprise	T1547	Boot or Logon Autostart Execution	-
enterprise	T1547.013	XDG Autostart Entries	Fysbis has installed itself as an autostart entry under `~/.config/autostart/dbus-inotifier.desktop` to establish persistence.²
enterprise	T1059	Command and Scripting Interpreter	-
enterprise	T1059.004	Unix Shell	Fysbis has the ability to create and execute commands in a remote shell for CLI.¹
enterprise	T1543	Create or Modify System Process	-
enterprise	T1543.002	Systemd Service	Fysbis has established persistence using a systemd service.²
enterprise	T1132	Data Encoding	-
enterprise	T1132.001	Standard Encoding	Fysbis can use Base64 to encode its C2 traffic.²
enterprise	T1083	File and Directory Discovery	Fysbis has the ability to search for files.²
enterprise	T1070	Indicator Removal	-
enterprise	T1070.004	File Deletion	Fysbis has the ability to delete files.²
enterprise	T1056	Input Capture	-
enterprise	T1056.001	Keylogging	Fysbis can perform keylogging.¹
enterprise	T1036	Masquerading	-
enterprise	T1036.004	Masquerade Task or Service	Fysbis has masqueraded as the rsyncd and dbus-inotifier services.²
enterprise	T1036.005	Match Legitimate Name or Location	Fysbis has masqueraded as trusted software rsyncd and dbus-inotifier.²
enterprise	T1027	Obfuscated Files or Information	Fysbis has been encrypted using XOR and RC4.²
enterprise	T1057	Process Discovery	Fysbis can collect information about running processes.²
enterprise	T1082	System Information Discovery	Fysbis has used the command `ls /etc`

ID	Name	References
G0007	APT28	¹