Green Lambert

Green Lambert is a modular backdoor that security researchers assess has been used by an advanced threat group referred to as Longhorn and The Lamberts. First reported in 2017, the Windows variant of Green Lambert may have been used as early as 2008; a macOS version was uploaded to a multiscanner service in September 2014.[1][2]

ID: S0690
Platforms: Windows, iOS, macOS, Linux
Contributors: Runa Sandvik
Version: 1.0
Created: 21 March 2022
Last Modified: 20 April 2022

Techniques Used

Domain ID Name Use
Enterprise T1071 .004 Application Layer Protocol: DNS

Green Lambert can use DNS for C2 communications.[2][3]

Enterprise T1547 .015 Boot or Logon Autostart Execution: Login Items

Green Lambert can add Login Items to establish persistence.[2][3]

Enterprise T1037 .004 Boot or Logon Initialization Scripts: RC Scripts

Green Lambert can add init.d and rc.d files in the /etc folder to establish persistence.[2][3]

Enterprise T1059 .004 Command and Scripting Interpreter: Unix Shell

Green Lambert can use shell scripts for execution, such as /bin/sh -c.[2][3]

Enterprise T1543 .001 Create or Modify System Process: Launch Agent

Green Lambert can create a Launch Agent with the RunAtLoad key-value pair set to true, ensuring the file runs every time a user logs in.[2][3]

.004 Create or Modify System Process: Launch Daemon

Green Lambert can add a plist file in the Library/LaunchDaemons to establish persistence.[2][3]

Enterprise T1555 .001 Credentials from Password Stores: Keychain

Green Lambert can use Keychain Services API functions to find and collect passwords, such as SecKeychainFindInternetPassword and SecKeychainItemCopyAttributesAndData.[2][3]

Enterprise T1005 Data from Local System

Green Lambert can collect data from a compromised host.[2]

Enterprise T1140 Deobfuscate/Decode Files or Information

Green Lambert can use multiple custom routines to decrypt strings prior to execution.[2][3]

Enterprise T1546 .004 Event Triggered Execution: Unix Shell Configuration Modification

Green Lambert can establish persistence on a compromised host through modifying the profile, login, and run command (rc) files associated with the bash, csh, and tcsh shells. [2][3]

Enterprise T1070 .004 Indicator Removal: File Deletion

Green Lambert can delete the original executable after initial installation in addition to unused functions.[2][3]

Enterprise T1036 .004 Masquerading: Masquerade Task or Service

Green Lambert has created a new executable named Software Update Check to appear legitimate.[2][3]

.005 Masquerading: Match Legitimate Name or Location

Green Lambert has been disguised as a Growl help file.[2][3]

Enterprise T1027 Obfuscated Files or Information

Green Lambert has encrypted strings.[2][3]

Enterprise T1090 Proxy

Green Lambert can use proxies for C2 traffic.[2][3]

Enterprise T1082 System Information Discovery

Green Lambert can use uname to identify the operating system name, version, and processor type.[2][3]

Enterprise T1016 System Network Configuration Discovery

Green Lambert can obtain proxy information from a victim's machine using system environment variables.[2][3]

Enterprise T1124 System Time Discovery

Green Lambert can collect the date and time from a compromised host.[2][3]