Windigo

The Windigo group has been operating since at least 2011, compromising thousands of Linux and Unix servers using the Ebury SSH backdoor to create a spam botnet. Despite law enforcement intervention against the creators, Windigo operators continued updating Ebury through 2019.[1][2]

ID: G0124
Version: 1.0
Created: 10 February 2021
Last Modified: 26 April 2021

Techniques Used

Domain ID Name Use
Enterprise T1059 Command and Scripting Interpreter

Windigo has used a Perl script for information gathering.[3]

Enterprise T1005 Data from Local System

Windigo has used a script to gather credentials in files left on disk by OpenSSH backdoors.[3]

Enterprise T1189 Drive-by Compromise

Windigo has distributed Windows malware via drive-by downloads.[1]

Enterprise T1083 File and Directory Discovery

Windigo has used a script to check for the presence of files created by OpenSSH backdoors.[3]

Enterprise T1090 Proxy

Windigo has delivered a generic Windows proxy Win32/Glubteta.M. Windigo has also used multiple reverse proxy chains as part of their C2 infrastructure.[1]

Enterprise T1518 Software Discovery

Windigo has used a script to detect installed software on targeted systems.[3]

Enterprise T1082 System Information Discovery

Windigo has used a script to detect which Linux distribution and version is currently installed on the system.[3]

Software

References