1. Home
  2. Groups
  3. Windigo

Windigo

The Windigo group has been operating since at least 2011, compromising thousands of Linux and Unix servers using the Ebury SSH backdoor to create a spam botnet. Despite law enforcement intervention against the creators, Windigo operators continued updating Ebury through 2019.[1][2]

ID: G0124
Version: 1.0
Created: 10 February 2021
Last Modified: 26 April 2021
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1059 Command and Scripting Interpreter

Windigo has used a Perl script for information gathering.[3]
Enterprise T1005 Data from Local System

Windigo has used a script to gather credentials in files left on disk by OpenSSH backdoors.[3]
Enterprise T1189 Drive-by Compromise

Windigo has distributed Windows malware via drive-by downloads.[1]
Enterprise T1083 File and Directory Discovery

Windigo has used a script to check for the presence of files created by OpenSSH backdoors.[3]
Enterprise T1090 Proxy

Windigo has delivered a generic Windows proxy Win32/Glubteta.M. Windigo has also used multiple reverse proxy chains as part of their C2 infrastructure.[1]
Enterprise T1518 Software Discovery

Windigo has used a script to detect installed software on targeted systems.[3]
Enterprise T1082 System Information Discovery

Windigo has used a script to detect which Linux distribution and version is currently installed on the system.[3]

Software

ID Name References Techniques
S0377 Ebury [4] Application Layer Protocol: DNS, Automated Exfiltration, Command and Scripting Interpreter: Unix Shell, Command and Scripting Interpreter: Python, Compromise Host Software Binary, Data Encoding: Standard Encoding, Deobfuscate/Decode Files or Information, Dynamic Resolution: Domain Generation Algorithms, Encrypted Channel: Symmetric Cryptography, Exfiltration Over C2 Channel, Fallback Channels, Hijack Execution Flow: Dynamic Linker Hijacking, Impair Defenses: Disable or Modify Tools, Impair Defenses: Disable or Modify Linux Audit System, Impair Defenses: Indicator Blocking, Modify Authentication Process: Pluggable Authentication Modules, Modify Authentication Process, Obfuscated Files or Information, Rootkit, Shared Modules, Subvert Trust Controls: Code Signing, Unsecured Credentials: Private Keys

References

  1. Bilodeau, O., Bureau, M., Calvet, J., Dorais-Joncas, A., Léveillé, M., Vanheuverzwijn, B. (2014, March 18). Operation Windigo – the vivisection of a large Linux server‑side credential‑stealing malware campaign. Retrieved February 10, 2021.
  2. CERN. (2019, June 4). 2019/06/04 Advisory: Windigo attacks. Retrieved February 10, 2021.
  1. Dumont, R., M.Léveillé, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020.
  2. Vachon, F. (2017, October 30). Windigo Still not Windigone: An Ebury Update . Retrieved February 10, 2021.