{"description": "Enterprise techniques used by Derusbi, ATT&CK software S0021 (v1.2)", "name": "Derusbi (S0021)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1123", "comment": "[Derusbi](https://attack.mitre.org/software/S0021) is capable of performing audio captures.(Citation: FireEye Periscope March 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.004", "comment": "[Derusbi](https://attack.mitre.org/software/S0021) is capable of creating a remote Bash shell and executing commands.(Citation: Fidelis Turbo)(Citation: FireEye Periscope March 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[Derusbi](https://attack.mitre.org/software/S0021) obfuscates C2 traffic with variable 4-byte XOR keys.(Citation: Fidelis Turbo)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1008", "comment": "[Derusbi](https://attack.mitre.org/software/S0021) uses a backup communication method with an HTTP beacon.(Citation: Fidelis Turbo)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[Derusbi](https://attack.mitre.org/software/S0021) is capable of obtaining directory, file, and drive listings.(Citation: Fidelis Turbo)(Citation: FireEye Periscope March 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[Derusbi](https://attack.mitre.org/software/S0021) is capable of deleting files. It has been observed loading a Linux Kernel Module (LKM) and then deleting it from the hard disk as well as overwriting the data with null bytes.(Citation: Fidelis Turbo)(Citation: FireEye Periscope March 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070.006", "comment": "The [Derusbi](https://attack.mitre.org/software/S0021) malware supports timestomping.(Citation: Novetta-Axiom)(Citation: Fidelis Turbo)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "[Derusbi](https://attack.mitre.org/software/S0021) is capable of logging keystrokes.(Citation: FireEye Periscope March 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1095", "comment": "[Derusbi](https://attack.mitre.org/software/S0021) binds to a raw socket on a random source port between 31800 and 31900 for C2.(Citation: Fidelis Turbo)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1571", "comment": "[Derusbi](https://attack.mitre.org/software/S0021) has used unencrypted HTTP on port 443 for C2.(Citation: Fidelis Turbo)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1057", "comment": "[Derusbi](https://attack.mitre.org/software/S0021) collects current and parent process IDs.(Citation: Fidelis Turbo)(Citation: FireEye Periscope March 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "showSubtechniques": true}, {"techniqueID": "T1055.001", "comment": "[Derusbi](https://attack.mitre.org/software/S0021) injects itself into the secure shell (SSH) process.(Citation: Airbus Derusbi 2015)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1012", "comment": "[Derusbi](https://attack.mitre.org/software/S0021) is capable of enumerating Registry keys and values.(Citation: FireEye Periscope March 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1113", "comment": "[Derusbi](https://attack.mitre.org/software/S0021) is capable of performing screen captures.(Citation: FireEye Periscope March 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.010", "comment": "[Derusbi](https://attack.mitre.org/software/S0021) variants have been seen that use Registry persistence to proxy execution through regsvr32.exe.(Citation: ThreatGeek Derusbi Converge)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[Derusbi](https://attack.mitre.org/software/S0021) gathers the name of the local host, version of GNU Compiler Collection (GCC), and the system information about the CPU, machine, and operating system.(Citation: Fidelis Turbo)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "A Linux version of [Derusbi](https://attack.mitre.org/software/S0021) checks if the victim user ID is anything other than zero (normally used for root), and the malware will not execute if it does not have root privileges. [Derusbi](https://attack.mitre.org/software/S0021) also gathers the username of the victim.(Citation: Fidelis Turbo)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1125", "comment": "[Derusbi](https://attack.mitre.org/software/S0021) is capable of capturing video.(Citation: FireEye Periscope March 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Derusbi", "color": "#66b1ff"}]}