S0410 Fysbis
Fysbis is a Linux-based backdoor used by APT28 that dates back to at least 2014.1
| Item | Value |
|---|---|
| ID | S0410 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.4 |
| Created | 12 September 2019 |
| Last Modified | 11 April 2024 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.013 | XDG Autostart Entries | If executing without root privileges, Fysbis adds a .desktop configuration file to the user’s ~/.config/autostart directory.32 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.004 | Unix Shell | Fysbis has the ability to create and execute commands in a remote shell for CLI.1 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.002 | Systemd Service | Fysbis has established persistence using a systemd service.2 |
| enterprise | T1132 | Data Encoding | - |
| enterprise | T1132.001 | Standard Encoding | Fysbis can use Base64 to encode its C2 traffic.2 |
| enterprise | T1083 | File and Directory Discovery | Fysbis has the ability to search for files.2 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | Fysbis has the ability to delete files.2 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | Fysbis can perform keylogging.1 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.004 | Masquerade Task or Service | Fysbis has masqueraded as the rsyncd and dbus-inotifier services.2 |
| enterprise | T1036.005 | Match Legitimate Resource Name or Location | Fysbis has masqueraded as trusted software rsyncd and dbus-inotifier.2 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.013 | Encrypted/Encoded File | Fysbis has been encrypted using XOR and RC4.2 |
| enterprise | T1057 | Process Discovery | Fysbis can collect information about running processes.2 |
| enterprise | T1082 | System Information Discovery | Fysbis has used the command ls /etc |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0007 | APT28 | 1 |
References
-
Bryan Lee and Rob Downs. (2016, February 12). A Look Into Fysbis: Sofacy’s Linux Backdoor. Retrieved September 10, 2017. ↩↩↩↩
-
Doctor Web. (2014, November 21). Linux.BackDoor.Fysbis.1. Retrieved December 7, 2017. ↩↩↩↩↩↩↩↩↩
-
TONY LAMBERT. (2022, June 7). Trapping the Netwire RAT on Linux. Retrieved September 28, 2023. ↩