Derusbi
Associated Software Descriptions
| Name | Description |
|---|---|
| PHOTO |
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1573 | .001 | 加密通道: Symmetric Cryptography |
Derusbi obfuscates C2 traffic with variable 4-byte XOR keys.[3] |
| Enterprise | T1059 | .004 | 命令与脚本解释器: Unix Shell |
Derusbi is capable of creating a remote Bash shell and executing commands.[3][4] |
| Enterprise | T1008 | 回退信道 |
Derusbi uses a backup communication method with an HTTP beacon.[3] |
|
| Enterprise | T1113 | 屏幕捕获 | ||
| Enterprise | T1083 | 文件和目录发现 |
Derusbi is capable of obtaining directory, file, and drive listings.[3][4] |
|
| Enterprise | T1012 | 查询注册表 |
Derusbi is capable of enumerating Registry keys and values.[4] |
|
| Enterprise | T1070 | .004 | 移除指标: File Deletion |
Derusbi is capable of deleting files. It has been observed loading a Linux Kernel Module (LKM) and then deleting it from the hard disk as well as overwriting the data with null bytes.[3][4] |
| .006 | 移除指标: Timestomp | |||
| Enterprise | T1218 | .010 | 系统二进制代理执行: Regsvr32 |
Derusbi variants have been seen that use Registry persistence to proxy execution through regsvr32.exe.[5] |
| Enterprise | T1082 | 系统信息发现 |
Derusbi gathers the name of the local host, version of GNU Compiler Collection (GCC), and the system information about the CPU, machine, and operating system.[3] |
|
| Enterprise | T1033 | 系统所有者/用户发现 |
A Linux version of Derusbi checks if the victim user ID is anything other than zero (normally used for root), and the malware will not execute if it does not have root privileges. Derusbi also gathers the username of the victim.[3] |
|
| Enterprise | T1125 | 视频捕获 | ||
| Enterprise | T1056 | .001 | 输入捕获: Keylogging | |
| Enterprise | T1057 | 进程发现 | ||
| Enterprise | T1055 | .001 | 进程注入: Dynamic-link Library Injection |
Derusbi injects itself into the secure shell (SSH) process.[6] |
| Enterprise | T1095 | 非应用层协议 |
Derusbi binds to a raw socket on a random source port between 31800 and 31900 for C2.[3] |
|
| Enterprise | T1571 | 非标准端口 | ||
| Enterprise | T1123 | 音频捕获 | ||
Groups That Use This Software
References
- Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.
- ThreatConnect Research Team. (2015, February 27). The Anthem Hack: All Roads Lead to China. Retrieved January 26, 2016.
- Fidelis Cybersecurity. (2016, February 29). The Turbo Campaign, Featuring Derusbi for 64-bit Linux. Retrieved March 2, 2016.
- FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
- Fidelis Threat Research Team. (2016, May 2). Turbo Twist: Two 64-bit Derusbi Strains Converge. Retrieved August 16, 2018.
- Perigaud, F. (2015, December 15). Newcomers in the Derusbi family. Retrieved September 12, 2024.
- CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department. Retrieved August 12, 2021.
- Esler, J., Lee, M., and Williams, C. (2014, October 14). Threat Spotlight: Group 72. Retrieved January 14, 2016.
- Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.