Skip to content

S0690 Green Lambert

Green Lambert is a modular backdoor that security researchers assess has been used by an advanced threat group referred to as Longhorn and The Lamberts. First reported in 2017, the Windows variant of Green Lambert may have been used as early as 2008; a macOS version was uploaded to a multiscanner service in September 2014.12

Item Value
ID S0690
Associated Names
Version 1.0
Created 21 March 2022
Last Modified 20 April 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.004 DNS Green Lambert can use DNS for C2 communications.23
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.015 Login Items Green Lambert can add Login Items to establish persistence.23
enterprise T1037 Boot or Logon Initialization Scripts -
enterprise T1037.004 RC Scripts Green Lambert can add init.d and rc.d files in the /etc folder to establish persistence.23
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.004 Unix Shell Green Lambert can use shell scripts for execution, such as /bin/sh -c.23
enterprise T1543 Create or Modify System Process -
enterprise T1543.001 Launch Agent Green Lambert can create a Launch Agent with the RunAtLoad key-value pair set to true, ensuring the file runs every time a user logs in.23
enterprise T1543.004 Launch Daemon Green Lambert can add a plist file in the Library/LaunchDaemons to establish persistence.23
enterprise T1555 Credentials from Password Stores -
enterprise T1555.001 Keychain Green Lambert can use Keychain Services API functions to find and collect passwords, such as SecKeychainFindInternetPassword and SecKeychainItemCopyAttributesAndData.23
enterprise T1005 Data from Local System Green Lambert can collect data from a compromised host.2
enterprise T1140 Deobfuscate/Decode Files or Information Green Lambert can use multiple custom routines to decrypt strings prior to execution.23
enterprise T1546 Event Triggered Execution -
enterprise T1546.004 Unix Shell Configuration Modification Green Lambert can establish persistence on a compromised host through modifying the profile, login, and run command (rc) files associated with the bash, csh, and tcsh shells. 23
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion Green Lambert can delete the original executable after initial installation in addition to unused functions.23
enterprise T1036 Masquerading -
enterprise T1036.004 Masquerade Task or Service Green Lambert has created a new executable named Software Update Check to appear legitimate.23
enterprise T1036.005 Match Legitimate Name or Location Green Lambert has been disguised as a Growl help file.23
enterprise T1027 Obfuscated Files or Information Green Lambert has encrypted strings.23
enterprise T1090 Proxy Green Lambert can use proxies for C2 traffic.23
enterprise T1082 System Information Discovery Green Lambert can use uname to identify the operating system name, version, and processor type.23
enterprise T1016 System Network Configuration Discovery Green Lambert can obtain proxy information from a victim’s machine using system environment variables.23
enterprise T1124 System Time Discovery Green Lambert can collect the date and time from a compromised host.23