Fysbis is a Linux-based backdoor used by APT28 that dates back to at least 2014.[1]

ID: S0410
Platforms: Linux
Version: 1.2
Created: 12 September 2019
Last Modified: 06 November 2020

Techniques Used

Domain ID Name Use
Enterprise T1547 .013 Boot or Logon Autostart Execution: XDG Autostart Entries

Fysbis has installed itself as an autostart entry under ~/.config/autostart/dbus-inotifier.desktop to establish persistence.[2]

Enterprise T1059 .004 Command and Scripting Interpreter: Unix Shell

Fysbis has the ability to create and execute commands in a remote shell for CLI.[1]

Enterprise T1543 .002 Create or Modify System Process: Systemd Service

Fysbis has established persistence using a systemd service.[2]

Enterprise T1132 .001 Data Encoding: Standard Encoding

Fysbis can use Base64 to encode its C2 traffic.[2]

Enterprise T1083 File and Directory Discovery

Fysbis has the ability to search for files.[2]

Enterprise T1070 .004 Indicator Removal: File Deletion

Fysbis has the ability to delete files.[2]

Enterprise T1056 .001 Input Capture: Keylogging

Fysbis can perform keylogging.[1]

Enterprise T1036 .004 Masquerading: Masquerade Task or Service

Fysbis has masqueraded as the rsyncd and dbus-inotifier services.[2]

.005 Masquerading: Match Legitimate Name or Location

Fysbis has masqueraded as trusted software rsyncd and dbus-inotifier.[2]

Enterprise T1027 Obfuscated Files or Information

Fysbis has been encrypted using XOR and RC4.[2]

Enterprise T1057 Process Discovery

Fysbis can collect information about running processes.[2]

Enterprise T1082 System Information Discovery

Fysbis has used the command ls /etc | egrep -e"fedora*|debian*|gentoo*|mandriva*|mandrake*|meego*|redhat*|lsb-*|sun-*|SUSE*|release" to determine which Linux OS version is running.[1]

Groups That Use This Software

ID Name References
G0007 APT28