Software: Derusbi, PHOTO

From enterprise
Jump to: navigation, search
Derusbi, PHOTO
ID S0021
Aliases Derusbi, PHOTO
Type Malware
Platform Linux, Windows

Derusbi is malware used by multiple Chinese APT groups.12 Both Windows and Linux variants have been observed.3

Alias Descriptions

  • Derusbi - 1
  • PHOTO - 4

Techniques Used

  • Timestomp - The Derusbi malware supports timestomping.13
  • File Deletion - Derusbi is capable of deleting files. It has been observed loading a Linux Kernel Module (LKM) and then deleting it from the hard disk as well as overwriting the data with null bytes.34
  • System Owner/User Discovery - A Linux version of Derusbi checks if the victim user ID is anything other than zero (normally used for root), and the malware will not execute if it does not have root privileges.3
  • System Information Discovery - Derusbi gathers the name of the local host, version of GNU Compiler Collection (GCC), and the system information about the machine and operating system.3
  • Regsvr32 - Derusbi variants have been seen that use Registry persistence to proxy execution through regsvr32.exe.5
  • Query Registry - Derusbi is capable of enumerating Registry keys and values.4


The following groups use this software: