S0690 Green Lambert
Green Lambert is a modular backdoor that security researchers assess has been used by an advanced threat group referred to as Longhorn and The Lamberts. First reported in 2017, the Windows variant of Green Lambert may have been used as early as 2008; a macOS version was uploaded to a multiscanner service in September 2014.12
| Item | Value |
|---|---|
| ID | S0690 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 21 March 2022 |
| Last Modified | 20 April 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.004 | DNS | Green Lambert can use DNS for C2 communications.23 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.015 | Login Items | Green Lambert can add Login Items to establish persistence.23 |
| enterprise | T1037 | Boot or Logon Initialization Scripts | - |
| enterprise | T1037.004 | RC Scripts | Green Lambert can add init.d and rc.d files in the /etc folder to establish persistence.23 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.004 | Unix Shell | Green Lambert can use shell scripts for execution, such as /bin/sh -c.23 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.001 | Launch Agent | Green Lambert can create a Launch Agent with the RunAtLoad key-value pair set to true, ensuring the com.apple.GrowlHelper.plist file runs every time a user logs in.23 |
| enterprise | T1543.004 | Launch Daemon | Green Lambert can add a plist file in the Library/LaunchDaemons to establish persistence.23 |
| enterprise | T1555 | Credentials from Password Stores | - |
| enterprise | T1555.001 | Keychain | Green Lambert can use Keychain Services API functions to find and collect passwords, such as SecKeychainFindInternetPassword and SecKeychainItemCopyAttributesAndData.23 |
| enterprise | T1005 | Data from Local System | Green Lambert can collect data from a compromised host.2 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Green Lambert can use multiple custom routines to decrypt strings prior to execution.23 |
| enterprise | T1546 | Event Triggered Execution | - |
| enterprise | T1546.004 | Unix Shell Configuration Modification | Green Lambert can establish persistence on a compromised host through modifying the profile, login, and run command (rc) files associated with the bash, csh, and tcsh shells. 23 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | Green Lambert can delete the original executable after initial installation in addition to unused functions.23 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.004 | Masquerade Task or Service | Green Lambert has created a new executable named Software Update Check to appear legitimate.23 |
| enterprise | T1036.005 | Match Legitimate Name or Location | Green Lambert has been disguised as a Growl help file.23 |
| enterprise | T1027 | Obfuscated Files or Information | Green Lambert has encrypted strings.23 |
| enterprise | T1090 | Proxy | Green Lambert can use proxies for C2 traffic.23 |
| enterprise | T1082 | System Information Discovery | Green Lambert can use uname to identify the operating system name, version, and processor type.23 |
| enterprise | T1016 | System Network Configuration Discovery | Green Lambert can obtain proxy information from a victim’s machine using system environment variables.23 |
| enterprise | T1124 | System Time Discovery | Green Lambert can collect the date and time from a compromised host.23 |
References
-
GREAT. (2017, April 11). Unraveling the Lamberts Toolkit. Retrieved March 21, 2022. ↩
-
Sandvik, Runa. (2021, October 1). Made In America: Green Lambert for OS X. Retrieved March 21, 2022. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Sandvik, Runa. (2021, October 18). Green Lambert and ATT&CK. Retrieved March 21, 2022. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩