Umbreon

A Linux rootkit that provides backdoor access and hides from defenders.

ID: S0221
Type: MALWARE
Platforms: Linux

Version: 1.0

Techniques Used

DomainIDNameUse
EnterpriseT1059Command-Line InterfaceUmbreon provides access using both standard facilities like SSH and additional access using its backdoor Espeon, providing a reverse shell upon receipt of a special packet
EnterpriseT1205Port KnockingUmbreon provides additional access using its backdoor Espeon, providing a reverse shell upon receipt of a special packet
EnterpriseT1014RootkitUmbreon hides from defenders by hooking libc function calls, hiding artifacts that would reveal its presence, such as the user account it creates to provide access and undermining strace, a tool often used to identify malware.
EnterpriseT1071Standard Application Layer ProtocolUmbreon provides access to the system via SSH or any other protocol that uses PAM to authenticate.
EnterpriseT1078Valid AccountsUmbreon creates valid users to provide access to the system.