The sub-techniques beta is now live! Read the release blog post for more info.

Exaramel for Linux

Exaramel for Linux is a backdoor written in the Go Programming Language and compiled as a 64-bit ELF binary. The Windows version is tracked separately under Exaramel for Windows.[1]

ID: S0401
Platforms: Linux
Version: 1.0
Created: 26 August 2019
Last Modified: 04 September 2019

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface

Exaramel for Linux has a command to execute a shell command on the system.[1]

Enterprise T1168 Local Job Scheduling

Exaramel for Linux uses crontab for persistence if it does not have root privileges.[1]

Enterprise T1027 Obfuscated Files or Information

Exaramel for Linux uses RC4 for encrypting the configuration.[1]

Enterprise T1105 Remote File Copy

Exaramel for Linux has a command to download a file from a remote server.[1]

Enterprise T1071 Standard Application Layer Protocol

Exaramel for Linux uses HTTPS for C2 communications.[1]

Enterprise T1501 Systemd Service

Exaramel for Linux has a hardcoded location under systemd that it uses to achieve persistence if it is running as root.[1]