Exaramel for Linux is a backdoor written in the Go Programming Language and compiled as a 64-bit ELF binary. The Windows version is tracked separately under Exaramel for Windows.^[1]

ID: S0401

Type: MALWARE

Platforms: Linux

Version: 1.1

Created: 26 August 2019

Last Modified: 20 March 2020

Version Permalink

Live Version

Techniques Used

Domain	ID		Name	Use
Enterprise	T1071	.001	Application Layer Protocol: Web Protocols	Exaramel for Linux uses HTTPS for C2 communications.^[1]
Enterprise	T1059	.004	Command and Scripting Interpreter: Unix Shell	Exaramel for Linux has a command to execute a shell command on the system.^[1]
Enterprise	T1543	.002	Create or Modify System Process: Systemd Service	Exaramel for Linux has a hardcoded location under systemd that it uses to achieve persistence if it is running as root.^[1]
Enterprise	T1105		Ingress Tool Transfer	Exaramel for Linux has a command to download a file from a remote server.^[1]
Enterprise	T1027		Obfuscated Files or Information	Exaramel for Linux uses RC4 for encrypting the configuration.^[1]
Enterprise	T1053	.003	Scheduled Task/Job: Cron	Exaramel for Linux uses crontab for persistence if it does not have root privileges.^[1]

Groups That Use This Software

ID	Name	References
G0034	Sandworm Team	^[1]

References

Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018.

Exaramel for Linux

Enterprise Layer

Techniques Used

Groups That Use This Software

References