This is a custom instance of the MITRE ATT&CK Website. The official website can be found at attack.mitre.org.

SOFTWARE

Android/AdDisplay.Ashas

Android/Chuli.A

AndroidOS/MalLocker.B

ANDROIDOS_ANSERVER.A

AutoIt backdoor

Backdoor.Oldrea

Caterpillar WebShell

CSPY Downloader

Desert Scorpion

ECCENTRICBANDWAGON

Exaramel for Linux

Exaramel for Windows

Hacking Team UEFI Rootkit

Imminent Monitor

IronNetInjector

Olympic Destroyer

OSX_OCEANLOTUS.D

P.A.S. Webshell

Pass-The-Hash Toolkit

Pegasus for Android

Pegasus for iOS

RemoteUtilities

ShimRatReporter

Trojan-SMS.AndroidOS.Agent.ao

Trojan-SMS.AndroidOS.FakeInst.a

Trojan-SMS.AndroidOS.OpFake.a

Trojan.Karagany

Windows Credential Editor

Winnti for Linux

Winnti for Windows

X-Agent for Android

XLoader for Android

XLoader for iOS

SOFTWARE

1-9

A-B

Android/AdDisplay.Ashas

Android/Chuli.A

AndroidOS/MalLocker.B

ANDROIDOS_ANSERVER.A

AutoIt backdoor

Backdoor.Oldrea

C-D

Caterpillar WebShell

CSPY Downloader

Desert Scorpion

E-F

ECCENTRICBANDWAGON

Exaramel for Linux

Exaramel for Windows

G-H

Hacking Team UEFI Rootkit

I-J

Imminent Monitor

IronNetInjector

K-L

M-N

O-P

Olympic Destroyer

OSX_OCEANLOTUS.D

P.A.S. Webshell

Pass-The-Hash Toolkit

Pegasus for Android

Pegasus for iOS

Q-R

RemoteUtilities

S-T

ShimRatReporter

Trojan-SMS.AndroidOS.Agent.ao

Trojan-SMS.AndroidOS.FakeInst.a

Trojan-SMS.AndroidOS.OpFake.a

Trojan.Karagany

U-V

W-X

Windows Credential Editor

Winnti for Linux

Winnti for Windows

X-Agent for Android

XLoader for Android

XLoader for iOS

Y-Z

Fysbis

Fysbis is a Linux-based backdoor used by APT28 that dates back to at least 2014.^[1]

ID: S0410

ⓘ

Type: MALWARE

ⓘ

Platforms: Linux

Version: 1.2

Created: 12 September 2019

Last Modified: 06 November 2020

Techniques Used

Domain	ID		Name	Use
Enterprise	T1547	.013	Boot or Logon Autostart Execution: XDG Autostart Entries	Fysbis has installed itself as an autostart entry under `~/.config/autostart/dbus-inotifier.desktop` to establish persistence.^[2]
Enterprise	T1059	.004	Command and Scripting Interpreter: Unix Shell	Fysbis has the ability to create and execute commands in a remote shell for CLI.^[1]
Enterprise	T1543	.002	Create or Modify System Process: Systemd Service	Fysbis has established persistence using a systemd service.^[2]
Enterprise	T1132	.001	Data Encoding: Standard Encoding	Fysbis can use Base64 to encode its C2 traffic.^[2]
Enterprise	T1083		File and Directory Discovery	Fysbis has the ability to search for files.^[2]
Enterprise	T1070	.004	Indicator Removal on Host: File Deletion	Fysbis has the ability to delete files.^[2]
Enterprise	T1056	.001	Input Capture: Keylogging	Fysbis can perform keylogging.^[1]
Enterprise	T1036	.004	Masquerading: Masquerade Task or Service	Fysbis has masqueraded as the rsyncd and dbus-inotifier services.^[2]
		.005	Masquerading: Match Legitimate Name or Location	Fysbis has masqueraded as trusted software rsyncd and dbus-inotifier.^[2]
Enterprise	T1027		Obfuscated Files or Information	Fysbis has been encrypted using XOR and RC4.^[2]
Enterprise	T1057		Process Discovery	Fysbis can collect information about running processes.^[2]
Enterprise	T1082		System Information Discovery	Fysbis has used the command `ls /etc \| egrep -e"fedora\|debian\|gentoo\|mandriva\|mandrake\|meego\|redhat\|lsb-\|sun-\|SUSE\|release"` to determine which Linux OS version is running.^[1]

Groups That Use This Software

ID	Name	References
G0007	APT28	^[1]

References

Bryan Lee and Rob Downs. (2016, February 12). A Look Into Fysbis: Sofacy’s Linux Backdoor. Retrieved September 10, 2017.

Doctor Web. (2014, November 21). Linux.BackDoor.Fysbis.1. Retrieved December 7, 2017.