Skip to content

S0487 Kessel

Kessel is an advanced version of OpenSSH which acts as a custom backdoor, mainly acting to steal credentials and function as a bot. Kessel has been active since its C2 domain began resolving in August 2018.1

Item Value
ID S0487
Associated Names
Version 1.0
Created 16 July 2020
Last Modified 10 August 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1560 Archive Collected Data Kessel can RC4-encrypt credentials before sending to the C2.1
enterprise T1059 Command and Scripting Interpreter Kessel can create a reverse shell between the infected host and a specified system.1
enterprise T1554 Compromise Client Software Binary Kessel has maliciously altered the OpenSSH binary on targeted systems to create a backdoor.1
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding Kessel has exfiltrated data via hexadecimal-encoded subdomain fields of DNS queries.1
enterprise T1030 Data Transfer Size Limits Kessel can split the data to be exilftrated into chunks that will fit in subdomains of DNS queries.1
enterprise T1140 Deobfuscate/Decode Files or Information Kessel has decrypted the binary’s configuration once the main function was launched.1
enterprise T1048 Exfiltration Over Alternative Protocol -
enterprise T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol Kessel can exfiltrate credentials and other information via HTTP POST request, TCP, and DNS.1
enterprise T1041 Exfiltration Over C2 Channel Kessel has exfiltrated information gathered from the infected system to the C2 server.1
enterprise T1105 Ingress Tool Transfer Kessel can download additional modules from the C2 server.1
enterprise T1556 Modify Authentication Process Kessel has trojanized the ssh_login and user-auth_pubkey functions to steal plaintext credentials.1
enterprise T1027 Obfuscated Files or Information Kessel‘s configuration is hardcoded and RC4 encrypted within the binary.1
enterprise T1090 Proxy Kessel can use a proxy during exfiltration if set in the configuration.1
enterprise T1082 System Information Discovery Kessel has collected the system architecture, OS version, and MAC address information.1
enterprise T1016 System Network Configuration Discovery Kessel has collected the DNS address of the infected host.1