S0487 Kessel
Kessel is an advanced version of OpenSSH which acts as a custom backdoor, mainly acting to steal credentials and function as a bot. Kessel has been active since its C2 domain began resolving in August 2018.1
| Item | Value |
|---|---|
| ID | S0487 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 16 July 2020 |
| Last Modified | 10 August 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1560 | Archive Collected Data | Kessel can RC4-encrypt credentials before sending to the C2.1 |
| enterprise | T1059 | Command and Scripting Interpreter | Kessel can create a reverse shell between the infected host and a specified system.1 |
| enterprise | T1554 | Compromise Client Software Binary | Kessel has maliciously altered the OpenSSH binary on targeted systems to create a backdoor.1 |
| enterprise | T1132 | Data Encoding | - |
| enterprise | T1132.001 | Standard Encoding | Kessel has exfiltrated data via hexadecimal-encoded subdomain fields of DNS queries.1 |
| enterprise | T1030 | Data Transfer Size Limits | Kessel can split the data to be exilftrated into chunks that will fit in subdomains of DNS queries.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Kessel has decrypted the binary’s configuration once the main function was launched.1 |
| enterprise | T1048 | Exfiltration Over Alternative Protocol | - |
| enterprise | T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol | Kessel can exfiltrate credentials and other information via HTTP POST request, TCP, and DNS.1 |
| enterprise | T1041 | Exfiltration Over C2 Channel | Kessel has exfiltrated information gathered from the infected system to the C2 server.1 |
| enterprise | T1105 | Ingress Tool Transfer | Kessel can download additional modules from the C2 server.1 |
| enterprise | T1556 | Modify Authentication Process | Kessel has trojanized the user-auth_pubkey functions to steal plaintext credentials.1 |
| enterprise | T1027 | Obfuscated Files or Information | Kessel‘s configuration is hardcoded and RC4 encrypted within the binary.1 |
| enterprise | T1090 | Proxy | Kessel can use a proxy during exfiltration if set in the configuration.1 |
| enterprise | T1082 | System Information Discovery | Kessel has collected the system architecture, OS version, and MAC address information.1 |
| enterprise | T1016 | System Network Configuration Discovery | Kessel has collected the DNS address of the infected host.1 |