Umbreon

A Linux rootkit that provides backdoor access and hides from defenders.

ID: S0221
Type: MALWARE
Platforms: Linux
Version: 1.1
Created: 18 April 2018
Last Modified: 01 July 2020

Techniques Used

Domain ID Name Use
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Umbreon provides access using both standard facilities like SSH and additional access using its backdoor Espeon, providing a reverse shell upon receipt of a special packet[1]

Enterprise T1095 Non-Application Layer Protocol

Umbreon provides access to the system via SSH or any other protocol that uses PAM to authenticate.[1]

Enterprise T1014 Rootkit

Umbreon hides from defenders by hooking libc function calls, hiding artifacts that would reveal its presence, such as the user account it creates to provide access and undermining strace, a tool often used to identify malware.[1]

Enterprise T1205 Traffic Signaling

Umbreon provides additional access using its backdoor Espeon, providing a reverse shell upon receipt of a special packet.[1]

Enterprise T1078 .003 Valid Accounts: Local Accounts

Umbreon creates valid local users to provide access to the system.[1]

References