Penquin
Associated Software Descriptions
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1036 | .005 | 伪装: Match Legitimate Name or Location |
Penquin has mimicked the Cron binary to hide itself on compromised systems.[2] |
| Enterprise | T1573 | .002 | 加密通道: Asymmetric Cryptography |
Penquin can encrypt communications using the BlowFish algorithm and a symmetric key exchanged with Diffie Hellman.[2] |
| Enterprise | T1059 | .004 | 命令与脚本解释器: Unix Shell | |
| Enterprise | T1083 | 文件和目录发现 |
Penquin can use the command code |
|
| Enterprise | T1222 | .002 | 文件和目录权限修改: Linux and Mac File and Directory Permissions Modification |
Penquin can add the executable flag to a downloaded file.[2] |
| Enterprise | T1205 | 流量激活 |
Penquin will connect to C2 only after sniffing a "magic packet" value in TCP or UDP packets matching specific conditions.[2][1] |
|
| .002 | Socket Filters |
Penquin installs a |
||
| Enterprise | T1027 | .005 | 混淆文件或信息: Indicator Removal from Tools | |
| .013 | 混淆文件或信息: Encrypted/Encoded File |
Penquin has encrypted strings in the binary for obfuscation.[2] |
||
| Enterprise | T1070 | .004 | 移除指标: File Deletion |
Penquin can delete downloaded executables after running them.[2] |
| Enterprise | T1082 | 系统信息发现 |
Penquin can report the file system type and disk space of a compromised host to C2.[2] |
|
| Enterprise | T1016 | 系统网络配置发现 |
Penquin can report the IP of the compromised host to attacker controlled infrastructure.[2] |
|
| Enterprise | T1040 | 网络嗅探 |
Penquin can sniff network traffic to look for packets matching specific conditions.[2][1] |
|
| Enterprise | T1105 | 输入工具传输 |
Penquin can execute the command code |
|
| Enterprise | T1041 | 通过C2信道渗出 |
Penquin can execute the command code |
|
| Enterprise | T1095 | 非应用层协议 |
The Penquin C2 mechanism is based on TCP and UDP packets.[1][2] |
|
| Enterprise | T1053 | .003 | 预定任务/作业: Cron |
Penquin can use Cron to create periodic and pre-scheduled background jobs.[2] |