Windigo - G0124 (4e868dad-682d-4897-b8df-2dc98f46c68a)

The Windigo group has been operating since at least 2011, compromising thousands of Linux and Unix servers using the Ebury SSH backdoor to create a spam botnet. Despite law enforcement intervention against the creators, Windigo operators continued updating Ebury through 2019.(Citation: ESET Windigo Mar 2014)(Citation: CERN Windigo June 2019)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Windigo - G0124 (4e868dad-682d-4897-b8df-2dc98f46c68a)	Intrusion Set	1
Windigo - G0124 (4e868dad-682d-4897-b8df-2dc98f46c68a)	Intrusion Set	Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	1
Windigo - G0124 (4e868dad-682d-4897-b8df-2dc98f46c68a)	Intrusion Set	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	1
Windigo - G0124 (4e868dad-682d-4897-b8df-2dc98f46c68a)	Intrusion Set	Drive-by Compromise - T1189 (d742a578-d70e-4d0e-96a6-02a9c30204e6)	Attack Pattern	1
Windigo - G0124 (4e868dad-682d-4897-b8df-2dc98f46c68a)	Intrusion Set	Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58)	Attack Pattern	1
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	Windigo - G0124 (4e868dad-682d-4897-b8df-2dc98f46c68a)	Intrusion Set	1
Windigo - G0124 (4e868dad-682d-4897-b8df-2dc98f46c68a)	Intrusion Set	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	1
Windigo - G0124 (4e868dad-682d-4897-b8df-2dc98f46c68a)	Intrusion Set	Ebury - S0377 (d6b3fcd0-1c86-4350-96f0-965ed02fcc51)	Malware	1
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Ebury - S0377 (d6b3fcd0-1c86-4350-96f0-965ed02fcc51)	Malware	2
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	Ebury - S0377 (d6b3fcd0-1c86-4350-96f0-965ed02fcc51)	Malware	2
Rootkit - T1014 (0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b)	Attack Pattern	Ebury - S0377 (d6b3fcd0-1c86-4350-96f0-965ed02fcc51)	Malware	2
Shared Modules - T1129 (0a5231ec-41af-4a35-83d0-6bdf11f28c65)	Attack Pattern	Ebury - S0377 (d6b3fcd0-1c86-4350-96f0-965ed02fcc51)	Malware	2
Ebury - S0377 (d6b3fcd0-1c86-4350-96f0-965ed02fcc51)	Malware	Domain Generation Algorithms - T1568.002 (118f61a5-eb3e-4fb6-931f-2096647f4ecd)	Attack Pattern	2
Ebury - S0377 (d6b3fcd0-1c86-4350-96f0-965ed02fcc51)	Malware	Automated Exfiltration - T1020 (774a3188-6ba9-4dc4-879d-d54ee48a5ce9)	Attack Pattern	2
Ebury - S0377 (d6b3fcd0-1c86-4350-96f0-965ed02fcc51)	Malware	Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84)	Attack Pattern	2
Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf)	Attack Pattern	Ebury - S0377 (d6b3fcd0-1c86-4350-96f0-965ed02fcc51)	Malware	2
Fallback Channels - T1008 (f24faf46-3b26-4dbb-98f2-63460498e433)	Attack Pattern	Ebury - S0377 (d6b3fcd0-1c86-4350-96f0-965ed02fcc51)	Malware	2
Pluggable Authentication Modules - T1556.003 (06c00069-771a-4d57-8ef5-d3718c1a8771)	Attack Pattern	Ebury - S0377 (d6b3fcd0-1c86-4350-96f0-965ed02fcc51)	Malware	2
Ebury - S0377 (d6b3fcd0-1c86-4350-96f0-965ed02fcc51)	Malware	DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72)	Attack Pattern	2
Ebury - S0377 (d6b3fcd0-1c86-4350-96f0-965ed02fcc51)	Malware	Indicator Blocking - T1562.006 (74d2a63f-3c7b-4852-92da-02d8fbab16da)	Attack Pattern	2
Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56)	Attack Pattern	Ebury - S0377 (d6b3fcd0-1c86-4350-96f0-965ed02fcc51)	Malware	2
Ebury - S0377 (d6b3fcd0-1c86-4350-96f0-965ed02fcc51)	Malware	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	2
Ebury - S0377 (d6b3fcd0-1c86-4350-96f0-965ed02fcc51)	Malware	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	2
Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1)	Attack Pattern	Ebury - S0377 (d6b3fcd0-1c86-4350-96f0-965ed02fcc51)	Malware	2
Ebury - S0377 (d6b3fcd0-1c86-4350-96f0-965ed02fcc51)	Malware	Dynamic Linker Hijacking - T1574.006 (633a100c-b2c9-41bf-9be5-905c1b16c825)	Attack Pattern	2
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	Ebury - S0377 (d6b3fcd0-1c86-4350-96f0-965ed02fcc51)	Malware	2
Ebury - S0377 (d6b3fcd0-1c86-4350-96f0-965ed02fcc51)	Malware	Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	2
Ebury - S0377 (d6b3fcd0-1c86-4350-96f0-965ed02fcc51)	Malware	Compromise Host Software Binary - T1554 (960c3c86-1480-4d72-b4e0-8c242e84a5c5)	Attack Pattern	2
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	Ebury - S0377 (d6b3fcd0-1c86-4350-96f0-965ed02fcc51)	Malware	2
Ebury - S0377 (d6b3fcd0-1c86-4350-96f0-965ed02fcc51)	Malware	Disable or Modify Linux Audit System - T1562.012 (562e9b64-7239-493d-80f4-2bff900d9054)	Attack Pattern	2
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7)	Attack Pattern	3
Dynamic Resolution - T1568 (7bd9c723-2f78-4309-82c5-47cad406572b)	Attack Pattern	Domain Generation Algorithms - T1568.002 (118f61a5-eb3e-4fb6-931f-2096647f4ecd)	Attack Pattern	3
Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf)	Attack Pattern	Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517)	Attack Pattern	3
Pluggable Authentication Modules - T1556.003 (06c00069-771a-4d57-8ef5-d3718c1a8771)	Attack Pattern	Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84)	Attack Pattern	3
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72)	Attack Pattern	3
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	Indicator Blocking - T1562.006 (74d2a63f-3c7b-4852-92da-02d8fbab16da)	Attack Pattern	3
Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	3
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	3
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1)	Attack Pattern	3
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6)	Attack Pattern	Dynamic Linker Hijacking - T1574.006 (633a100c-b2c9-41bf-9be5-905c1b16c825)	Attack Pattern	3
Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f)	Attack Pattern	Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	3
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	3
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	Disable or Modify Linux Audit System - T1562.012 (562e9b64-7239-493d-80f4-2bff900d9054)	Attack Pattern	3