Skip to content

Hide Navigation Hide TOC

Kessel - S0487 (c984b414-b766-44c5-814a-2fe96c913c12)

Kessel is an advanced version of OpenSSH which acts as a custom backdoor, mainly acting to steal credentials and function as a bot. Kessel has been active since its C2 domain began resolving in August 2018.(Citation: ESET ForSSHe December 2018)

Cluster A Galaxy A Cluster B Galaxy B Level
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern Kessel - S0487 (c984b414-b766-44c5-814a-2fe96c913c12) Malware 1
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern Kessel - S0487 (c984b414-b766-44c5-814a-2fe96c913c12) Malware 1
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern Kessel - S0487 (c984b414-b766-44c5-814a-2fe96c913c12) Malware 1
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern Kessel - S0487 (c984b414-b766-44c5-814a-2fe96c913c12) Malware 1
Kessel - S0487 (c984b414-b766-44c5-814a-2fe96c913c12) Malware Compromise Host Software Binary - T1554 (960c3c86-1480-4d72-b4e0-8c242e84a5c5) Attack Pattern 1
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern Kessel - S0487 (c984b414-b766-44c5-814a-2fe96c913c12) Malware 1
Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern Kessel - S0487 (c984b414-b766-44c5-814a-2fe96c913c12) Malware 1
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern Kessel - S0487 (c984b414-b766-44c5-814a-2fe96c913c12) Malware 1
Kessel - S0487 (c984b414-b766-44c5-814a-2fe96c913c12) Malware Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b) Attack Pattern 1
Kessel - S0487 (c984b414-b766-44c5-814a-2fe96c913c12) Malware Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 1
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern Kessel - S0487 (c984b414-b766-44c5-814a-2fe96c913c12) Malware 1
Kessel - S0487 (c984b414-b766-44c5-814a-2fe96c913c12) Malware Data Transfer Size Limits - T1030 (c3888c54-775d-4b2f-b759-75a2ececcbfd) Attack Pattern 1
Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84) Attack Pattern Kessel - S0487 (c984b414-b766-44c5-814a-2fe96c913c12) Malware 1
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern Kessel - S0487 (c984b414-b766-44c5-814a-2fe96c913c12) Malware 1
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 2
Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776) Attack Pattern Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b) Attack Pattern 2
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f) Attack Pattern 2