Kessel

Kessel is an advanced version of OpenSSH which acts as a custom backdoor, mainly acting to steal credentials and function as a bot. Kessel has been active since its C2 domain began resolving in August 2018.[1]

ID: S0487
Type: MALWARE
Platforms: Linux
Version: 1.0
Created: 16 July 2020
Last Modified: 10 August 2020

Techniques Used

Domain ID Name Use
Enterprise T1560 Archive Collected Data

Kessel can RC4-encrypt credentials before sending to the C2.[1]

Enterprise T1059 Command and Scripting Interpreter

Kessel can create a reverse shell between the infected host and a specified system.[1]

Enterprise T1554 Compromise Client Software Binary

Kessel has maliciously altered the OpenSSH binary on targeted systems to create a backdoor.[1]

Enterprise T1132 .001 Data Encoding: Standard Encoding

Kessel has exfiltrated data via hexadecimal-encoded subdomain fields of DNS queries.[1]

Enterprise T1030 Data Transfer Size Limits

Kessel can split the data to be exilftrated into chunks that will fit in subdomains of DNS queries.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

Kessel has decrypted the binary's configuration once the main function was launched.[1]

Enterprise T1048 .003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol

Kessel can exfiltrate credentials and other information via HTTP POST request, TCP, and DNS.[1]

Enterprise T1041 Exfiltration Over C2 Channel

Kessel has exfiltrated information gathered from the infected system to the C2 server.[1]

Enterprise T1105 Ingress Tool Transfer

Kessel can download additional modules from the C2 server.[1]

Enterprise T1556 Modify Authentication Process

Kessel has trojanized the ssh_login and user-auth_pubkey functions to steal plaintext credentials.[1]

Enterprise T1027 Obfuscated Files or Information

Kessel's configuration is hardcoded and RC4 encrypted within the binary.[1]

Enterprise T1090 Proxy

Kessel can use a proxy during exfiltration if set in the configuration.[1]

Enterprise T1082 System Information Discovery

Kessel has collected the system architecture, OS version, and MAC address information.[1]

Enterprise T1016 System Network Configuration Discovery

Kessel has collected the DNS address of the infected host.[1]

References