Skip to content

Hide Navigation Hide TOC

Windigo - G0124 (4e868dad-682d-4897-b8df-2dc98f46c68a)

The Windigo group has been operating since at least 2011, compromising thousands of Linux and Unix servers using the Ebury SSH backdoor to create a spam botnet. Despite law enforcement intervention against the creators, Windigo operators continued updating Ebury through 2019.(Citation: ESET Windigo Mar 2014)(Citation: CERN Windigo June 2019)

Cluster A Galaxy A Cluster B Galaxy B Level
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern Windigo - G0124 (4e868dad-682d-4897-b8df-2dc98f46c68a) Intrusion Set 1
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern Windigo - G0124 (4e868dad-682d-4897-b8df-2dc98f46c68a) Intrusion Set 1
Ebury - S0377 (d6b3fcd0-1c86-4350-96f0-965ed02fcc51) Malware Windigo - G0124 (4e868dad-682d-4897-b8df-2dc98f46c68a) Intrusion Set 1
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern Windigo - G0124 (4e868dad-682d-4897-b8df-2dc98f46c68a) Intrusion Set 1
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Windigo - G0124 (4e868dad-682d-4897-b8df-2dc98f46c68a) Intrusion Set 1
Drive-by Compromise - T1189 (d742a578-d70e-4d0e-96a6-02a9c30204e6) Attack Pattern Windigo - G0124 (4e868dad-682d-4897-b8df-2dc98f46c68a) Intrusion Set 1
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern Windigo - G0124 (4e868dad-682d-4897-b8df-2dc98f46c68a) Intrusion Set 1
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern Windigo - G0124 (4e868dad-682d-4897-b8df-2dc98f46c68a) Intrusion Set 1
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern Ebury - S0377 (d6b3fcd0-1c86-4350-96f0-965ed02fcc51) Malware 2
Automated Exfiltration - T1020 (774a3188-6ba9-4dc4-879d-d54ee48a5ce9) Attack Pattern Ebury - S0377 (d6b3fcd0-1c86-4350-96f0-965ed02fcc51) Malware 2
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern Ebury - S0377 (d6b3fcd0-1c86-4350-96f0-965ed02fcc51) Malware 2
Ebury - S0377 (d6b3fcd0-1c86-4350-96f0-965ed02fcc51) Malware Dynamic Linker Hijacking - T1574.006 (633a100c-b2c9-41bf-9be5-905c1b16c825) Attack Pattern 2
DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72) Attack Pattern Ebury - S0377 (d6b3fcd0-1c86-4350-96f0-965ed02fcc51) Malware 2
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern Ebury - S0377 (d6b3fcd0-1c86-4350-96f0-965ed02fcc51) Malware 2
Fallback Channels - T1008 (f24faf46-3b26-4dbb-98f2-63460498e433) Attack Pattern Ebury - S0377 (d6b3fcd0-1c86-4350-96f0-965ed02fcc51) Malware 2
Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf) Attack Pattern Ebury - S0377 (d6b3fcd0-1c86-4350-96f0-965ed02fcc51) Malware 2
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern Ebury - S0377 (d6b3fcd0-1c86-4350-96f0-965ed02fcc51) Malware 2
Ebury - S0377 (d6b3fcd0-1c86-4350-96f0-965ed02fcc51) Malware Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1) Attack Pattern 2
Ebury - S0377 (d6b3fcd0-1c86-4350-96f0-965ed02fcc51) Malware Compromise Host Software Binary - T1554 (960c3c86-1480-4d72-b4e0-8c242e84a5c5) Attack Pattern 2
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern Ebury - S0377 (d6b3fcd0-1c86-4350-96f0-965ed02fcc51) Malware 2
Ebury - S0377 (d6b3fcd0-1c86-4350-96f0-965ed02fcc51) Malware Indicator Blocking - T1562.006 (74d2a63f-3c7b-4852-92da-02d8fbab16da) Attack Pattern 2
Domain Generation Algorithms - T1568.002 (118f61a5-eb3e-4fb6-931f-2096647f4ecd) Attack Pattern Ebury - S0377 (d6b3fcd0-1c86-4350-96f0-965ed02fcc51) Malware 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Ebury - S0377 (d6b3fcd0-1c86-4350-96f0-965ed02fcc51) Malware 2
Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84) Attack Pattern Ebury - S0377 (d6b3fcd0-1c86-4350-96f0-965ed02fcc51) Malware 2
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern Ebury - S0377 (d6b3fcd0-1c86-4350-96f0-965ed02fcc51) Malware 2
Ebury - S0377 (d6b3fcd0-1c86-4350-96f0-965ed02fcc51) Malware Rootkit - T1014 (0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b) Attack Pattern 2
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern Ebury - S0377 (d6b3fcd0-1c86-4350-96f0-965ed02fcc51) Malware 2
Ebury - S0377 (d6b3fcd0-1c86-4350-96f0-965ed02fcc51) Malware Pluggable Authentication Modules - T1556.003 (06c00069-771a-4d57-8ef5-d3718c1a8771) Attack Pattern 2
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f) Attack Pattern 3
Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7) Attack Pattern Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern 3
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern Dynamic Linker Hijacking - T1574.006 (633a100c-b2c9-41bf-9be5-905c1b16c825) Attack Pattern 3
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72) Attack Pattern 3
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf) Attack Pattern 3
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1) Attack Pattern 3
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern 3
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Indicator Blocking - T1562.006 (74d2a63f-3c7b-4852-92da-02d8fbab16da) Attack Pattern 3
Domain Generation Algorithms - T1568.002 (118f61a5-eb3e-4fb6-931f-2096647f4ecd) Attack Pattern Dynamic Resolution - T1568 (7bd9c723-2f78-4309-82c5-47cad406572b) Attack Pattern 3
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 3
Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84) Attack Pattern Pluggable Authentication Modules - T1556.003 (06c00069-771a-4d57-8ef5-d3718c1a8771) Attack Pattern 3