| enterprise |
T1071 |
Application Layer Protocol |
- |
| enterprise |
T1071.001 |
Web Protocols |
Gomir periodically communicates to its command and control infrastructure through HTTP POST requests. |
| enterprise |
T1059 |
Command and Scripting Interpreter |
- |
| enterprise |
T1059.004 |
Unix Shell |
Gomir reads command line arguments and parses them for functionality when executed from a Linux shell, and can execute arbitrary strings passed to it as shell commands. |
| enterprise |
T1543 |
Create or Modify System Process |
- |
| enterprise |
T1543.002 |
Systemd Service |
Gomir creates a systemd service named syslogd for persistence. |
| enterprise |
T1132 |
Data Encoding |
- |
| enterprise |
T1132.001 |
Standard Encoding |
Gomir uses Base64-encoded content in HTTP communications to command and control infrastructure. |
| enterprise |
T1573 |
Encrypted Channel |
Gomir uses a custom encryption algorithm for content sent to command and control infrastructure. |
| enterprise |
T1573.002 |
Asymmetric Cryptography |
Gomir uses reverse proxy functionality that employs SSL to encrypt communications. |
| enterprise |
T1083 |
File and Directory Discovery |
Gomir collects information about directory and file structures, including total number of subdirectories, total number of files, and total size of files on infected systems. |
| enterprise |
T1070 |
Indicator Removal |
- |
| enterprise |
T1070.004 |
File Deletion |
Gomir deletes its original executable and terminates its original process after creating a systemd service. |
| enterprise |
T1069 |
Permission Groups Discovery |
- |
| enterprise |
T1069.001 |
Local Groups |
Gomir checks the effective group ID of its process when initially executed to determine if it is in group 0, denoting superuser privileges in Linux environments. |
| enterprise |
T1090 |
Proxy |
- |
| enterprise |
T1090.001 |
Internal Proxy |
Gomir can start a reverse proxy to initiate connections to arbitrary endpoints in victim networks. |
| enterprise |
T1018 |
Remote System Discovery |
Gomir probes arbitrary network endpoints for TCP connectivity. |
| enterprise |
T1053 |
Scheduled Task/Job |
- |
| enterprise |
T1053.003 |
Cron |
Gomir will configure a crontab for process execution to start the backdoor on reboot if it is not initially running under group 0 privileges. |
| enterprise |
T1082 |
System Information Discovery |
Gomir collects information on infected systems such as hostname, username, CPU, and RAM information. |
| enterprise |
T1016 |
System Network Configuration Discovery |
Gomir collects network information on infected systems such as listing interface names, MAC and IP addresses, and IPv6 addresses. |