Fysbis

Fysbis is a Linux-based backdoor used by APT28 that dates back to at least 2014.[1]

ID: S0410
Type: MALWARE
Platforms: Linux
Version: 1.4
Created: 12 September 2019
Last Modified: 11 April 2024

Techniques Used

Domain ID Name Use
Enterprise T1547 .013 Boot or Logon Autostart Execution: XDG Autostart Entries

If executing without root privileges, Fysbis adds a .desktop configuration file to the user's ~/.config/autostart directory.[2][3]

Enterprise T1059 .004 Command and Scripting Interpreter: Unix Shell

Fysbis has the ability to create and execute commands in a remote shell for CLI.[1]

Enterprise T1543 .002 Create or Modify System Process: Systemd Service

Fysbis has established persistence using a systemd service.[3]

Enterprise T1132 .001 Data Encoding: Standard Encoding

Fysbis can use Base64 to encode its C2 traffic.[3]

Enterprise T1083 File and Directory Discovery

Fysbis has the ability to search for files.[3]

Enterprise T1070 .004 Indicator Removal: File Deletion

Fysbis has the ability to delete files.[3]

Enterprise T1056 .001 Input Capture: Keylogging

Fysbis can perform keylogging.[1]

Enterprise T1036 .004 Masquerading: Masquerade Task or Service

Fysbis has masqueraded as the rsyncd and dbus-inotifier services.[3]

.005 Masquerading: Match Legitimate Name or Location

Fysbis has masqueraded as trusted software rsyncd and dbus-inotifier.[3]

Enterprise T1027 .013 Obfuscated Files or Information: Encrypted/Encoded File

Fysbis has been encrypted using XOR and RC4.[3]

Enterprise T1057 Process Discovery

Fysbis can collect information about running processes.[3]

Enterprise T1082 System Information Discovery

Fysbis has used the command ls /etc | egrep -e"fedora*|debian*|gentoo*|mandriva*|mandrake*|meego*|redhat*|lsb-*|sun-*|SUSE*|release" to determine which Linux OS version is running.[1]

Groups That Use This Software

ID Name References
G0007 APT28

[1]

References