1. Home
  2. Software
  3. Fysbis

Fysbis

Fysbis is a Linux-based backdoor used by APT28 that dates back to at least 2014.[1]

ID: S0410
Type: MALWARE
Platforms: Linux
Version: 1.4
Created: 12 September 2019
Last Modified: 11 April 2024
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1547 .013 Boot or Logon Autostart Execution: XDG Autostart Entries

If executing without root privileges, Fysbis adds a .desktop configuration file to the user's ~/.config/autostart directory.[2][3]
Enterprise T1059 .004 Command and Scripting Interpreter: Unix Shell

Fysbis has the ability to create and execute commands in a remote shell for CLI.[1]
Enterprise T1543 .002 Create or Modify System Process: Systemd Service

Fysbis has established persistence using a systemd service.[3]
Enterprise T1132 .001 Data Encoding: Standard Encoding

Fysbis can use Base64 to encode its C2 traffic.[3]
Enterprise T1083 File and Directory Discovery

Fysbis has the ability to search for files.[3]

Enterprise T1070 .004 Indicator Removal: File Deletion

Fysbis has the ability to delete files.[3]
Enterprise T1056 .001 Input Capture: Keylogging

Fysbis can perform keylogging.[1]

Enterprise T1036 .004 Masquerading: Masquerade Task or Service

Fysbis has masqueraded as the rsyncd and dbus-inotifier services.[3]
.005 Masquerading: Match Legitimate Name or Location

Fysbis has masqueraded as trusted software rsyncd and dbus-inotifier.[3]
Enterprise T1027 .013 Obfuscated Files or Information: Encrypted/Encoded File

Fysbis has been encrypted using XOR and RC4.[3]

Enterprise T1057 Process Discovery

Fysbis can collect information about running processes.[3]

Enterprise T1082 System Information Discovery

Fysbis has used the command ls /etc | egrep -e"fedora*|debian*|gentoo*|mandriva*|mandrake*|meego*|redhat*|lsb-*|sun-*|SUSE*|release" to determine which Linux OS version is running.[1]

Groups That Use This Software

ID Name References
G0007 APT28

[1]

References

  1. Bryan Lee and Rob Downs. (2016, February 12). A Look Into Fysbis: Sofacy’s Linux Backdoor. Retrieved September 10, 2017.
  2. TONY LAMBERT. (2022, June 7). Trapping the Netwire RAT on Linux. Retrieved September 28, 2023.
  1. Doctor Web. (2014, November 21). Linux.BackDoor.Fysbis.1. Retrieved December 7, 2017.