This is a custom instance of the MITRE ATT&CK Website. The official website can be found at attack.mitre.org.

SOFTWARE

Android/AdDisplay.Ashas

Android/Chuli.A

AndroidOS/MalLocker.B

ANDROIDOS_ANSERVER.A

AutoIt backdoor

Backdoor.Oldrea

Caterpillar WebShell

CSPY Downloader

Desert Scorpion

ECCENTRICBANDWAGON

Exaramel for Linux

Exaramel for Windows

Hacking Team UEFI Rootkit

Imminent Monitor

IronNetInjector

Olympic Destroyer

OSX_OCEANLOTUS.D

P.A.S. Webshell

Pass-The-Hash Toolkit

Pegasus for Android

Pegasus for iOS

RemoteUtilities

ShimRatReporter

Trojan-SMS.AndroidOS.Agent.ao

Trojan-SMS.AndroidOS.FakeInst.a

Trojan-SMS.AndroidOS.OpFake.a

Trojan.Karagany

Windows Credential Editor

Winnti for Linux

Winnti for Windows

X-Agent for Android

XLoader for Android

XLoader for iOS

SOFTWARE

1-9

A-B

Android/AdDisplay.Ashas

Android/Chuli.A

AndroidOS/MalLocker.B

ANDROIDOS_ANSERVER.A

AutoIt backdoor

Backdoor.Oldrea

C-D

Caterpillar WebShell

CSPY Downloader

Desert Scorpion

E-F

ECCENTRICBANDWAGON

Exaramel for Linux

Exaramel for Windows

G-H

Hacking Team UEFI Rootkit

I-J

Imminent Monitor

IronNetInjector

K-L

M-N

O-P

Olympic Destroyer

OSX_OCEANLOTUS.D

P.A.S. Webshell

Pass-The-Hash Toolkit

Pegasus for Android

Pegasus for iOS

Q-R

RemoteUtilities

S-T

ShimRatReporter

Trojan-SMS.AndroidOS.Agent.ao

Trojan-SMS.AndroidOS.FakeInst.a

Trojan-SMS.AndroidOS.OpFake.a

Trojan.Karagany

U-V

W-X

Windows Credential Editor

Winnti for Linux

Winnti for Windows

X-Agent for Android

XLoader for Android

XLoader for iOS

Y-Z

Umbreon

A Linux rootkit that provides backdoor access and hides from defenders.

ID: S0221

ⓘ

Type: MALWARE

ⓘ

Platforms: Linux

Version: 1.1

Created: 18 April 2018

Last Modified: 01 July 2020

Techniques Used

Domain	ID		Name	Use
Enterprise	T1059	.003	Command and Scripting Interpreter: Windows Command Shell	Umbreon provides access using both standard facilities like SSH and additional access using its backdoor Espeon, providing a reverse shell upon receipt of a special packet^[1]
Enterprise	T1095		Non-Application Layer Protocol	Umbreon provides access to the system via SSH or any other protocol that uses PAM to authenticate.^[1]
Enterprise	T1014		Rootkit	Umbreon hides from defenders by hooking libc function calls, hiding artifacts that would reveal its presence, such as the user account it creates to provide access and undermining strace, a tool often used to identify malware.^[1]
Enterprise	T1205		Traffic Signaling	Umbreon provides additional access using its backdoor Espeon, providing a reverse shell upon receipt of a special packet.^[1]
Enterprise	T1078	.003	Valid Accounts: Local Accounts	Umbreon creates valid local users to provide access to the system.^[1]

References

Fernando Mercês. (2016, September 5). Pokémon-themed Umbreon Linux Rootkit Hits x86, ARM Systems. Retrieved March 5, 2018.