Derusbi
Associated Software Descriptions |
|
| Name | Description |
|---|---|
| PHOTO | (Citation: FireEye Periscope March 2018) |
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1059 | .004 | Command and Scripting Interpreter: Unix Shell |
Derusbi is capable of creating a remote Bash shell and executing commands.(Citation: Fidelis Turbo)(Citation: FireEye Periscope March 2018) |
| Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
Derusbi obfuscates C2 traffic with variable 4-byte XOR keys.(Citation: Fidelis Turbo) |
| Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
Derusbi is capable of deleting files. It has been observed loading a Linux Kernel Module (LKM) and then deleting it from the hard disk as well as overwriting the data with null bytes.(Citation: Fidelis Turbo)(Citation: FireEye Periscope March 2018) |
| .006 | Indicator Removal: Timestomp |
The Derusbi malware supports timestomping.(Citation: Novetta-Axiom)(Citation: Fidelis Turbo) |
||
| Enterprise | T1056 | .001 | Input Capture: Keylogging |
Derusbi is capable of logging keystrokes.(Citation: FireEye Periscope March 2018) |
| Enterprise | T1055 | .001 | Process Injection: Dynamic-link Library Injection |
Derusbi injects itself into the secure shell (SSH) process.(Citation: Airbus Derusbi 2015) |
| Enterprise | T1218 | .010 | System Binary Proxy Execution: Regsvr32 |
Derusbi variants have been seen that use Registry persistence to proxy execution through regsvr32.exe.(Citation: ThreatGeek Derusbi Converge) |
Groups That Use This Software |
||
| ID | Name | References |
|---|---|---|
| G0065 | Leviathan |
(Citation: FireEye Periscope March 2018) (Citation: CISA AA21-200A APT40 July 2021) |
| G0009 | Deep Panda |
(Citation: ThreatConnect Anthem) |
| G0001 | Axiom |
(Citation: Novetta-Axiom) (Citation: Cisco Group 72) |
| G0096 | APT41 |
(Citation: FireEye APT41 Aug 2019) |
References
- Fidelis Cybersecurity. (2016, February 29). The Turbo Campaign, Featuring Derusbi for 64-bit Linux. Retrieved March 2, 2016.
- FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
- Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.
- ThreatConnect Research Team. (2015, February 27). The Anthem Hack: All Roads Lead to China. Retrieved January 26, 2016.
- Perigaud, F. (2015, December 15). Newcomers in the Derusbi family. Retrieved December 20, 2017.
- Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
- Esler, J., Lee, M., and Williams, C. (2014, October 14). Threat Spotlight: Group 72. Retrieved January 14, 2016.
- Fidelis Threat Research Team. (2016, May 2). Turbo Twist: Two 64-bit Derusbi Strains Converge. Retrieved August 16, 2018.
- CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department. Retrieved August 12, 2021.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.