Fysbis

Fysbis is a Linux-based backdoor used by APT28 that dates back to at least 2014.^[1]

ID: S0410

ⓘ

Type: MALWARE

ⓘ

Platforms: Linux

Version: 1.4

Created: 12 September 2019

Last Modified: 11 April 2024

Techniques Used

Domain	ID		Name	Use
Enterprise	T1036	.004	伪装: Masquerade Task or Service	Fysbis has masqueraded as the rsyncd and dbus-inotifier services.^[2]
		.005	伪装: Match Legitimate Name or Location	Fysbis has masqueraded as trusted software rsyncd and dbus-inotifier.^[2]
Enterprise	T1543	.002	创建或修改系统进程: Systemd Service	Fysbis has established persistence using a systemd service.^[2]
Enterprise	T1547	.013	启动或登录自动启动执行: XDG Autostart Entries	If executing without root privileges, Fysbis adds a `.desktop` configuration file to the user's `~/.config/autostart` directory.^[3]^[2]
Enterprise	T1059	.004	命令与脚本解释器: Unix Shell	Fysbis has the ability to create and execute commands in a remote shell for CLI.^[1]
Enterprise	T1132	.001	数据编码: Standard Encoding	Fysbis can use Base64 to encode its C2 traffic.^[2]
Enterprise	T1083		文件和目录发现	Fysbis has the ability to search for files.^[2]
Enterprise	T1027	.013	混淆文件或信息: Encrypted/Encoded File	Fysbis has been encrypted using XOR and RC4.^[2]
Enterprise	T1070	.004	移除指标: File Deletion	Fysbis has the ability to delete files.^[2]
Enterprise	T1082		系统信息发现	Fysbis has used the command `ls /etc \| egrep -e"fedora\|debian\|gentoo\|mandriva\|mandrake\|meego\|redhat\|lsb-\|sun-\|SUSE\|release"` to determine which Linux OS version is running.^[1]
Enterprise	T1056	.001	输入捕获: Keylogging	Fysbis can perform keylogging.^[1]
Enterprise	T1057		进程发现	Fysbis can collect information about running processes.^[2]

Groups That Use This Software

ID	Name	References
G0007	APT28	^[1]

References

Bryan Lee and Rob Downs. (2016, February 12). A Look Into Fysbis: Sofacy’s Linux Backdoor. Retrieved September 10, 2017.
Doctor Web. (2014, November 21). Linux.BackDoor.Fysbis.1. Retrieved December 7, 2017.

TONY LAMBERT. (2022, June 7). Trapping the Netwire RAT on Linux. Retrieved September 28, 2023.