Exaramel for Linux
Exaramel for Linux is a backdoor written in the Go Programming Language and compiled as a 64-bit ELF binary. The Windows version is tracked separately under Exaramel for Windows.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1543 | 创建或修改系统进程 |
Exaramel for Linux has a hardcoded location that it uses to achieve persistence if the startup system is Upstart or System V and it is running as root.[2] |
|
| .002 | Systemd Service |
Exaramel for Linux has a hardcoded location under systemd that it uses to achieve persistence if it is running as root.[1][2] |
||
| Enterprise | T1140 | 反混淆/解码文件或信息 |
Exaramel for Linux can decrypt its configuration file.[2] |
|
| Enterprise | T1059 | .004 | 命令与脚本解释器: Unix Shell |
Exaramel for Linux has a command to execute a shell command on the system.[1][2] |
| Enterprise | T1008 | 回退信道 |
Exaramel for Linux can attempt to find a new C2 server if it receives an error.[2] |
|
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
Exaramel for Linux uses HTTPS for C2 communications.[1][2] |
| Enterprise | T1027 | .013 | 混淆文件或信息: Encrypted/Encoded File |
Exaramel for Linux uses RC4 for encrypting the configuration.[1][2] |
| Enterprise | T1548 | .001 | 滥用权限提升控制机制: Setuid and Setgid |
Exaramel for Linux can execute commands with high privileges via a specific binary with setuid functionality.[2] |
| Enterprise | T1070 | .004 | 移除指标: File Deletion |
Exaramel for Linux can uninstall its persistence mechanism and delete its configuration file.[2] |
| Enterprise | T1033 | 系统所有者/用户发现 |
Exaramel for Linux can run |
|
| Enterprise | T1105 | 输入工具传输 |
Exaramel for Linux has a command to download a file from and to a remote C2 server.[1][2] |
|
| Enterprise | T1053 | .003 | 预定任务/作业: Cron |
Exaramel for Linux uses crontab for persistence if it does not have root privileges.[1][2] |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0034 | Sandworm Team |