Umbreon
A Linux rootkit that provides backdoor access and hides from defenders.
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1014 | Rootkit |
Umbreon hides from defenders by hooking libc function calls, hiding artifacts that would reveal its presence, such as the user account it creates to provide access and undermining strace, a tool often used to identify malware.[1] |
|
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell |
Umbreon provides access using both standard facilities like SSH and additional access using its backdoor Espeon, providing a reverse shell upon receipt of a special packet[1] |
| Enterprise | T1078 | .003 | 有效账户: Local Accounts |
Umbreon creates valid local users to provide access to the system.[1] |
| Enterprise | T1205 | 流量激活 |
Umbreon provides additional access using its backdoor Espeon, providing a reverse shell upon receipt of a special packet.[1] |
|
| Enterprise | T1095 | 非应用层协议 |
Umbreon provides access to the system via SSH or any other protocol that uses PAM to authenticate.[1] |
|