Exaramel for Linux

Exaramel for Linux is a backdoor written in the Go Programming Language and compiled as a 64-bit ELF binary. The Windows version is tracked separately under Exaramel for Windows.[1]

ID: S0401
Platforms: Linux
Version: 1.1
Created: 26 August 2019
Last Modified: 20 March 2020

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Exaramel for Linux uses HTTPS for C2 communications.[1]

Enterprise T1059 .004 Command and Scripting Interpreter: Unix Shell

Exaramel for Linux has a command to execute a shell command on the system.[1]

Enterprise T1543 .002 Create or Modify System Process: Systemd Service

Exaramel for Linux has a hardcoded location under systemd that it uses to achieve persistence if it is running as root.[1]

Enterprise T1105 Ingress Tool Transfer

Exaramel for Linux has a command to download a file from a remote server.[1]

Enterprise T1027 Obfuscated Files or Information

Exaramel for Linux uses RC4 for encrypting the configuration.[1]

Enterprise T1053 .003 Scheduled Task/Job: Cron

Exaramel for Linux uses crontab for persistence if it does not have root privileges.[1]

Groups That Use This Software

ID Name References
G0034 Sandworm Team