1. Home
  2. Software
  3. Green Lambert

Green Lambert

Green Lambert is a modular backdoor that security researchers assess has been used by an advanced threat group referred to as Longhorn and The Lamberts. First reported in 2017, the Windows variant of Green Lambert may have been used as early as 2008; a macOS version was uploaded to a multiscanner service in September 2014.[1][2]

ID: S0690
Type: MALWARE
Platforms: Windows, iOS, macOS, Linux
Contributors: Runa Sandvik
Version: 1.0
Created: 21 March 2022
Last Modified: 20 April 2022
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1546 .004 事件触发执行: Unix Shell Configuration Modification

Green Lambert can establish persistence on a compromised host through modifying the profile, login, and run command (rc) files associated with the bash, csh, and tcsh shells. [2][3]

Enterprise T1555 .001 从密码存储中获取凭证: Keychain

Green Lambert can use Keychain Services API functions to find and collect passwords, such as SecKeychainFindInternetPassword and SecKeychainItemCopyAttributesAndData.[2][3]

Enterprise T1005 从本地系统获取数据

Green Lambert can collect data from a compromised host.[2]
Enterprise T1090 代理

Green Lambert can use proxies for C2 traffic.[2][3]
Enterprise T1036 .004 伪装: Masquerade Task or Service

Green Lambert has created a new executable named Software Update Check to appear legitimate.[2][3]

.005 伪装: Match Legitimate Name or Location

Green Lambert has been disguised as a Growl help file.[2][3]
Enterprise T1543 .001 创建或修改系统进程: Launch Agent

Green Lambert can create a Launch Agent with the RunAtLoad key-value pair set to true, ensuring the com.apple.GrowlHelper.plist file runs every time a user logs in.[2][3]
.004 创建或修改系统进程: Launch Daemon

Green Lambert can add a plist file in the Library/LaunchDaemons to establish persistence.[2][3]

Enterprise T1140 反混淆/解码文件或信息

Green Lambert can use multiple custom routines to decrypt strings prior to execution.[2][3]
Enterprise T1037 .004 启动或登录初始化脚本: RC Scripts

Green Lambert can add init.d and rc.d files in the /etc folder to establish persistence.[2][3]

Enterprise T1547 .015 启动或登录自动启动执行: Login Items

Green Lambert can add Login Items to establish persistence.[2][3]

Enterprise T1059 .004 命令与脚本解释器: Unix Shell

Green Lambert can use shell scripts for execution, such as /bin/sh -c.[2][3]

Enterprise T1071 .004 应用层协议: DNS

Green Lambert can use DNS for C2 communications.[2][3]
Enterprise T1027 混淆文件或信息

Green Lambert has encrypted strings.[2][3]

Enterprise T1070 .004 移除指标: File Deletion

Green Lambert can delete the original executable after initial installation in addition to unused functions.[2][3]

Enterprise T1082 系统信息发现

Green Lambert can use uname to identify the operating system name, version, and processor type.[2][3]

Enterprise T1124 系统时间发现

Green Lambert can collect the date and time from a compromised host.[2][3]
Enterprise T1016 系统网络配置发现

Green Lambert can obtain proxy information from a victim's machine using system environment variables.[2][3]

References

  1. GREAT. (2017, April 11). Unraveling the Lamberts Toolkit. Retrieved March 21, 2022.
  2. Sandvik, Runa. (2021, October 1). Made In America: Green Lambert for OS X. Retrieved March 21, 2022.
  1. Sandvik, Runa. (2021, October 18). Green Lambert and ATT&CK. Retrieved March 21, 2022.