Derusbi is malware used by multiple Chinese APT groups. [1] [2] Both Windows and Linux variants have been observed. [3]

ID: S0021
Associated Software: PHOTO

Platforms: Windows, Linux

Version: 1.0

Associated Software Descriptions


Techniques Used

EnterpriseT1123Audio CaptureDerusbi is capable of performing audio captures.[4]
EnterpriseT1059Command-Line InterfaceDerusbi is capable of creating a remote Bash shell and executing commands.[3][4]
EnterpriseT1043Commonly Used PortDerusbi beacons to destination port 443.[3]
EnterpriseT1094Custom Command and Control ProtocolDerusbi binds to a raw socket on a random source port between 31800 and 31900 for C2.[3]
EnterpriseT1024Custom Cryptographic ProtocolDerusbi obfuscates C2 traffic with variable 4-byte XOR keys.[3]
EnterpriseT1008Fallback ChannelsDerusbi uses a backup communication method with an HTTP beacon.[3]
EnterpriseT1083File and Directory DiscoveryDerusbi is capable of obtaining directory, file, and drive listings.[3][4]
EnterpriseT1107File DeletionDerusbi is capable of deleting files. It has been observed loading a Linux Kernel Module (LKM) and then deleting it from the hard disk as well as overwriting the data with null bytes.[3][4]
EnterpriseT1056Input CaptureDerusbi is capable of logging keystrokes.[4]
EnterpriseT1057Process DiscoveryDerusbi collects current and parent process IDs.[3][4]
EnterpriseT1055Process InjectionDerusbi injects itself into the secure shell (SSH) process.[5]
EnterpriseT1012Query RegistryDerusbi is capable of enumerating Registry keys and values.[4]
EnterpriseT1117Regsvr32Derusbi variants have been seen that use Registry persistence to proxy execution through regsvr32.exe.[6]
EnterpriseT1113Screen CaptureDerusbi is capable of performing screen captures.[4]
EnterpriseT1095Standard Non-Application Layer ProtocolDerusbi binds to a raw socket on a random source port between 31800 and 31900 for C2.[3]
EnterpriseT1082System Information DiscoveryDerusbi gathers the name of the local host, version of GNU Compiler Collection (GCC), and the system information about the CPU, machine, and operating system.[3]
EnterpriseT1033System Owner/User DiscoveryA Linux version of Derusbi checks if the victim user ID is anything other than zero (normally used for root), and the malware will not execute if it does not have root privileges. Derusbi also gathers the username of the victim.[3]
EnterpriseT1099TimestompThe Derusbi malware supports timestomping.[1][3]
EnterpriseT1125Video CaptureDerusbi is capable of capturing video.[4]


Groups that use this software:

Deep Panda