Derusbi is malware used by multiple Chinese APT groups.[1][2] Both Windows and Linux variants have been observed.[3]

ID: S0021
Associated Software: PHOTO
Platforms: Windows, Linux
Version: 1.2
Created: 31 May 2017
Last Modified: 15 April 2022

Associated Software Descriptions

Name Description


Techniques Used

Domain ID Name Use
Enterprise T1123 Audio Capture

Derusbi is capable of performing audio captures.[4]

Enterprise T1059 .004 Command and Scripting Interpreter: Unix Shell

Derusbi is capable of creating a remote Bash shell and executing commands.[3][4]

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Derusbi obfuscates C2 traffic with variable 4-byte XOR keys.[3]

Enterprise T1008 Fallback Channels

Derusbi uses a backup communication method with an HTTP beacon.[3]

Enterprise T1083 File and Directory Discovery

Derusbi is capable of obtaining directory, file, and drive listings.[3][4]

Enterprise T1070 .004 Indicator Removal: File Deletion

Derusbi is capable of deleting files. It has been observed loading a Linux Kernel Module (LKM) and then deleting it from the hard disk as well as overwriting the data with null bytes.[3][4]

.006 Indicator Removal: Timestomp

The Derusbi malware supports timestomping.[1][3]

Enterprise T1056 .001 Input Capture: Keylogging

Derusbi is capable of logging keystrokes.[4]

Enterprise T1095 Non-Application Layer Protocol

Derusbi binds to a raw socket on a random source port between 31800 and 31900 for C2.[3]

Enterprise T1571 Non-Standard Port

Derusbi has used unencrypted HTTP on port 443 for C2.[3]

Enterprise T1057 Process Discovery

Derusbi collects current and parent process IDs.[3][4]

Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

Derusbi injects itself into the secure shell (SSH) process.[5]

Enterprise T1012 Query Registry

Derusbi is capable of enumerating Registry keys and values.[4]

Enterprise T1113 Screen Capture

Derusbi is capable of performing screen captures.[4]

Enterprise T1218 .010 System Binary Proxy Execution: Regsvr32

Derusbi variants have been seen that use Registry persistence to proxy execution through regsvr32.exe.[6]

Enterprise T1082 System Information Discovery

Derusbi gathers the name of the local host, version of GNU Compiler Collection (GCC), and the system information about the CPU, machine, and operating system.[3]

Enterprise T1033 System Owner/User Discovery

A Linux version of Derusbi checks if the victim user ID is anything other than zero (normally used for root), and the malware will not execute if it does not have root privileges. Derusbi also gathers the username of the victim.[3]

Enterprise T1125 Video Capture

Derusbi is capable of capturing video.[4]

Groups That Use This Software

ID Name References
G0096 APT41


G0001 Axiom


G0065 Leviathan


G0009 Deep Panda