Currently viewing ATT&CK v8.2 which was live between October 27, 2020 and April 28, 2021. Learn more about the versioning system or see the live site.
SOFTWARE
Aria-body
SOFTWARE
1-9
A-B
C-D
E-F
G-H
I-J
K-L
M-N
O-P
Q-R
S-T
U-V
W-X
Y-Z
  1. Home
  2. Software
  3. Kessel

Kessel

Kessel is an advanced version of OpenSSH which acts as a custom backdoor, mainly acting to steal credentials and function as a bot. Kessel has been active since its C2 domain began resolving in August 2018.[1]

ID: S0487
Type: MALWARE
Platforms: Linux
Version: 1.0
Created: 16 July 2020
Last Modified: 10 August 2020
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1560 Archive Collected Data

Kessel can RC4-encrypt credentials before sending to the C2.[1]

Enterprise T1059 Command and Scripting Interpreter

Kessel can create a reverse shell between the infected host and a specified system.[1]

Enterprise T1554 Compromise Client Software Binary

Kessel has maliciously altered the OpenSSH binary on targeted systems to create a backdoor.[1]
Enterprise T1132 .001 Data Encoding: Standard Encoding

Kessel has exfiltrated data via hexadecimal-encoded subdomain fields of DNS queries.[1]
Enterprise T1030 Data Transfer Size Limits

Kessel can split the data to be exilftrated into chunks that will fit in subdomains of DNS queries.[1]
Enterprise T1140 Deobfuscate/Decode Files or Information

Kessel has decrypted the binary's configuration once the main function was launched.[1]
Enterprise T1048 .003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol

Kessel can exfiltrate credentials and other information via HTTP POST request, TCP, and DNS.[1]
Enterprise T1041 Exfiltration Over C2 Channel

Kessel has exfiltrated information gathered from the infected system to the C2 server.[1]
Enterprise T1105 Ingress Tool Transfer

Kessel can download additional modules from the C2 server.[1]
Enterprise T1556 Modify Authentication Process

Kessel has trojanized the ssh_login and user-auth_pubkey functions to steal plaintext credentials.[1]
Enterprise T1027 Obfuscated Files or Information

Kessel's configuration is hardcoded and RC4 encrypted within the binary.[1]
Enterprise T1090 Proxy

Kessel can use a proxy during exfiltration if set in the configuration.[1]
Enterprise T1082 System Information Discovery

Kessel has collected the system architecture, OS version, and MAC address information.[1]
Enterprise T1016 System Network Configuration Discovery

Kessel has collected the DNS address of the infected host.[1]

References

  1. Dumont, R., M.Léveillé, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020.