T1554 Compromise Client Software Binary
Adversaries may modify client software binaries to establish persistent access to systems. Client software enables users to access services provided by a server. Common client software types are SSH clients, FTP clients, email clients, and web browsers.
Adversaries may make modifications to client software binaries to carry out malicious tasks when those applications are in use. For example, an adversary may copy source code for the client software, add a backdoor, compile for the target, and replace the legitimate application binary (or support files) with the backdoored one. Since these applications may be routinely executed by the user, the adversary can leverage this for persistent access to the host.
| Item | Value |
|---|---|
| ID | T1554 |
| Sub-techniques | |
| Tactics | TA0003 |
| Platforms | Linux, Windows, macOS |
| Version | 1.0 |
| Created | 11 February 2020 |
| Last Modified | 19 October 2021 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| C0025 | 2016 Ukraine Electric Power Attack | During the 2016 Ukraine Electric Power Attack, Sandworm Team used a trojanized version of Windows Notepad to add a layer of persistence for Industroyer.5 |
| S0486 | Bonadan | Bonadan has maliciously altered the OpenSSH binary on targeted systems to create a backdoor.6 |
| S0377 | Ebury | Ebury has been embedded into modified OpenSSH binaries to gain persistent access to SSH credential information.7 |
| S0604 | Industroyer | Industroyer has used a Trojanized version of the Windows Notepad application for an additional backdoor persistence mechanism.5 |
| S0487 | Kessel | Kessel has maliciously altered the OpenSSH binary on targeted systems to create a backdoor.6 |
| S0641 | Kobalos | Kobalos replaced the SSH client with a trojanized SSH client to steal credentials on compromised systems.1 |
| S0595 | ThiefQuest | ThiefQuest searches through the /Users/ folder looking for executable files. For each executable, ThiefQuest prepends a copy of itself to the beginning of the file. When the file is executed, the ThiefQuest code is executed first. ThiefQuest creates a hidden file, copies the original target executable to the file, then executes the new hidden file to maintain the appearance of normal behavior. 23 |
| S0658 | XCSSET | XCSSET uses a malicious browser application to replace the legitimate browser in order to continuously capture credentials, monitor web traffic, and download additional modules.4 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1045 | Code Signing | Ensure all application component binaries are signed by the correct application developers. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0022 | File | File Creation |
References
-
M.Leveille, M., Sanmillan, I. (2021, January). A WILD KOBALOS APPEARS Tricksy Linux malware goes after HPCs. Retrieved August 24, 2021. ↩
-
Patrick Wardle. (2020, July 3). OSX.EvilQuest Uncovered part ii: insidious capabilities. Retrieved March 21, 2021. ↩
-
Thomas Reed. (2020, July 7). Mac ThiefQuest malware may not be ransomware after all. Retrieved March 22, 2021. ↩
-
Mac Threat Response, Mobile Research Team. (2020, August 13). The XCSSET Malware: Inserts Malicious Code Into Xcode Projects, Performs UXSS Backdoor Planting in Safari, and Leverages Two Zero-day Exploits. Retrieved October 5, 2021. ↩
-
Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020. ↩↩
-
Dumont, R., M.Léveillé, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020. ↩↩
-
M.Léveillé, M.. (2014, February 21). An In-depth Analysis of Linux/Ebury. Retrieved April 19, 2019. ↩