Skip to content

S0587 Penquin

Penquin is a remote access trojan (RAT) with multiple versions used by Turla to target Linux systems since at least 2014.12

Item Value
ID S0587
Associated Names Penquin 2.0, Penquin_x64
Type MALWARE
Version 1.1
Created 11 March 2021
Last Modified 20 October 2022
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
Penquin 2.0 2
Penquin_x64 2

Techniques Used

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.004 Unix Shell Penquin can execute remote commands using bash scripts.2
enterprise T1573 Encrypted Channel -
enterprise T1573.002 Asymmetric Cryptography Penquin can encrypt communications using the BlowFish algorithm and a symmetric key exchanged with Diffie Hellman.2
enterprise T1041 Exfiltration Over C2 Channel Penquin can execute the command code do_upload to send files to C2.2
enterprise T1083 File and Directory Discovery Penquin can use the command code do_vslist to send file names, size, and status to C2.2
enterprise T1222 File and Directory Permissions Modification -
enterprise T1222.002 Linux and Mac File and Directory Permissions Modification Penquin can add the executable flag to a downloaded file.2
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion Penquin can delete downloaded executables after running them.2
enterprise T1105 Ingress Tool Transfer Penquin can execute the command code do_download to retrieve remote files from C2.2
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location Penquin has mimicked the Cron binary to hide itself on compromised systems.2
enterprise T1040 Network Sniffing Penquin can sniff network traffic to look for packets matching specific conditions.21
enterprise T1095 Non-Application Layer Protocol The Penquin C2 mechanism is based on TCP and UDP packets.12
enterprise T1027 Obfuscated Files or Information Penquin has encrypted strings in the binary for obfuscation.2
enterprise T1027.005 Indicator Removal from Tools Penquin can remove strings from binaries.2
enterprise T1053 Scheduled Task/Job -
enterprise T1053.003 Cron Penquin can use Cron to create periodic and pre-scheduled background jobs.2
enterprise T1082 System Information Discovery Penquin can report the file system type and disk space of a compromised host to C2.2
enterprise T1016 System Network Configuration Discovery Penquin can report the IP of the compromised host to attacker controlled infrastructure.2
enterprise T1205 Traffic Signaling Penquin will connect to C2 only after sniffing a “magic packet” value in TCP or UDP packets matching specific conditions.21
enterprise T1205.002 Socket Filters Penquin installs a TCP and UDP filter on the eth0 interface.2

Groups That Use This Software

ID Name References
G0010 Turla 2

References

  1. Baumgartner, K. and Raiu, C. (2014, December 8). The ‘Penquin’ Turla. Retrieved March 11, 2021. 

  2. Leonardo. (2020, May 29). MALWARE TECHNICAL INSIGHT TURLA “Penquin_x64”. Retrieved March 11, 2021.