Windigo
ID: G0124
Version: 1.0
Created: 10 February 2021
Last Modified: 26 April 2021
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1005 | 从本地系统获取数据 |
Windigo has used a script to gather credentials in files left on disk by OpenSSH backdoors.[3] |
|
| Enterprise | T1090 | 代理 |
Windigo has delivered a generic Windows proxy Win32/Glubteta.M. Windigo has also used multiple reverse proxy chains as part of their C2 infrastructure.[1] |
|
| Enterprise | T1059 | 命令与脚本解释器 |
Windigo has used a Perl script for information gathering.[3] |
|
| Enterprise | T1083 | 文件和目录发现 |
Windigo has used a script to check for the presence of files created by OpenSSH backdoors.[3] |
|
| Enterprise | T1189 | 浏览器攻击 |
Windigo has distributed Windows malware via drive-by downloads.[1] |
|
| Enterprise | T1082 | 系统信息发现 |
Windigo has used a script to detect which Linux distribution and version is currently installed on the system.[3] |
|
| Enterprise | T1518 | 软件发现 |
Windigo has used a script to detect installed software on targeted systems.[3] |
|
Software
| ID | Name | References | Techniques |
|---|---|---|---|
| S0377 | Ebury | [4] | Rootkit, 主机软件二进制文件妥协, 修改身份验证过程: Pluggable Authentication Modules, 修改身份验证过程, 共享模块, 加密通道: Symmetric Cryptography, 动态解析: Domain Generation Algorithms, 劫持执行流: Dynamic Linker Hijacking, 反混淆/解码文件或信息, 命令与脚本解释器: Unix Shell, 命令与脚本解释器: Python, 回退信道, 妨碍防御: Disable or Modify Tools, 妨碍防御: Disable or Modify Linux Audit System, 妨碍防御: Indicator Blocking, 应用层协议: DNS, 数据编码: Standard Encoding, 未加密凭证: Private Keys, 混淆文件或信息, 自动化渗出, 通过C2信道渗出, 颠覆信任控制: Code Signing |
References
- Bilodeau, O., Bureau, M., Calvet, J., Dorais-Joncas, A., Léveillé, M., Vanheuverzwijn, B. (2014, March 18). Operation Windigo – the vivisection of a large Linux server‑side credential‑stealing malware campaign. Retrieved February 10, 2021.
- CERN. (2019, June 4). 2019/06/04 Advisory: Windigo attacks. Retrieved February 10, 2021.