Aliases: Derusbi, PHOTO
Platforms: Windows, Linux
|Enterprise||T1123||Audio Capture||Derusbi is capable of performing audio captures.|
|Enterprise||T1059||Command-Line Interface||Derusbi is capable of creating a remote Bash shell and executing commands.|
|Enterprise||T1043||Commonly Used Port||Derusbi beacons to destination port 443.|
|Enterprise||T1094||Custom Command and Control Protocol||Derusbi binds to a raw socket on a random source port between 31800 and 31900 for C2.|
|Enterprise||T1024||Custom Cryptographic Protocol||Derusbi obfuscates C2 traffic with variable 4-byte XOR keys.|
|Enterprise||T1008||Fallback Channels||Derusbi uses a backup communication method with an HTTP beacon.|
|Enterprise||T1083||File and Directory Discovery||Derusbi is capable of obtaining directory, file, and drive listings.|
|Enterprise||T1107||File Deletion||Derusbi is capable of deleting files. It has been observed loading a Linux Kernel Module (LKM) and then deleting it from the hard disk as well as overwriting the data with null bytes.|
|Enterprise||T1056||Input Capture||Derusbi is capable of logging keystrokes.|
|Enterprise||T1057||Process Discovery||Derusbi collects current and parent process IDs.|
|Enterprise||T1055||Process Injection||Derusbi injects itself into the secure shell (SSH) process.|
|Enterprise||T1012||Query Registry||Derusbi is capable of enumerating Registry keys and values.|
|Enterprise||T1117||Regsvr32||Derusbi variants have been seen that use Registry persistence to proxy execution through regsvr32.exe.|
|Enterprise||T1113||Screen Capture||Derusbi is capable of performing screen captures.|
|Enterprise||T1095||Standard Non-Application Layer Protocol||Derusbi binds to a raw socket on a random source port between 31800 and 31900 for C2.|
|Enterprise||T1082||System Information Discovery||Derusbi gathers the name of the local host, version of GNU Compiler Collection (GCC), and the system information about the CPU, machine, and operating system.|
|Enterprise||T1033||System Owner/User Discovery||A Linux version of Derusbi checks if the victim user ID is anything other than zero (normally used for root), and the malware will not execute if it does not have root privileges. Derusbi also gathers the username of the victim.|
|Enterprise||T1099||Timestomp||The Derusbi malware supports timestomping.|
|Enterprise||T1125||Video Capture||Derusbi is capable of capturing video.|
Groups that use this software:Axiom
- Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.
- ThreatConnect Research Team. (2015, February 27). The Anthem Hack: All Roads Lead to China. Retrieved January 26, 2016.
- Fidelis Cybersecurity. (2016, February 29). The Turbo Campaign, Featuring Derusbi for 64-bit Linux. Retrieved March 2, 2016.
- FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
- Perigaud, F. (2015, December 15). Newcomers in the Derusbi family. Retrieved December 20, 2017.
- Fidelis Threat Research Team. (2016, May 2). Turbo Twist: Two 64-bit Derusbi Strains Converge. Retrieved August 16, 2018.