Penquin

Penquin is a remote access trojan (RAT) with multiple versions used by Turla to target Linux systems since at least 2014.[1][2]

ID: S0587
Associated Software: Penquin 2.0, Penquin_x64
Type: MALWARE
Platforms: Linux
Contributors: Silvio La Porta, @LDO_CyberSec, Leonardo's Cyber Security Division; Antonio Villani, @LDO_CyberSec, Leonardo's Cyber Security Division; Nino Verde, @LDO_CyberSec, Leonardo's Cyber Security Division
Version: 1.1
Created: 11 March 2021
Last Modified: 20 October 2022

Associated Software Descriptions

Name Description
Penquin 2.0

[2]

Penquin_x64

[2]

Techniques Used

Domain ID Name Use
Enterprise T1059 .004 Command and Scripting Interpreter: Unix Shell

Penquin can execute remote commands using bash scripts.[2]

Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

Penquin can encrypt communications using the BlowFish algorithm and a symmetric key exchanged with Diffie Hellman.[2]

Enterprise T1041 Exfiltration Over C2 Channel

Penquin can execute the command code do_upload to send files to C2.[2]

Enterprise T1083 File and Directory Discovery

Penquin can use the command code do_vslist to send file names, size, and status to C2.[2]

Enterprise T1222 .002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification

Penquin can add the executable flag to a downloaded file.[2]

Enterprise T1070 .004 Indicator Removal: File Deletion

Penquin can delete downloaded executables after running them.[2]

Enterprise T1105 Ingress Tool Transfer

Penquin can execute the command code do_download to retrieve remote files from C2.[2]

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Penquin has mimicked the Cron binary to hide itself on compromised systems.[2]

Enterprise T1040 Network Sniffing

Penquin can sniff network traffic to look for packets matching specific conditions.[2][1]

Enterprise T1095 Non-Application Layer Protocol

The Penquin C2 mechanism is based on TCP and UDP packets.[1][2]

Enterprise T1027 Obfuscated Files or Information

Penquin has encrypted strings in the binary for obfuscation.[2]

.005 Indicator Removal from Tools

Penquin can remove strings from binaries.[2]

Enterprise T1053 .003 Scheduled Task/Job: Cron

Penquin can use Cron to create periodic and pre-scheduled background jobs.[2]

Enterprise T1082 System Information Discovery

Penquin can report the file system type and disk space of a compromised host to C2.[2]

Enterprise T1016 System Network Configuration Discovery

Penquin can report the IP of the compromised host to attacker controlled infrastructure.[2]

Enterprise T1205 Traffic Signaling

Penquin will connect to C2 only after sniffing a "magic packet" value in TCP or UDP packets matching specific conditions.[2][1]

.002 Socket Filters

Penquin installs a TCP and UDP filter on the eth0 interface.[2]

Groups That Use This Software

ID Name References
G0010 Turla

[2]

References