Skip to content

[Intel]: https://www.mandiant.com/resources/unc2891-overview #112

New issue
New issue
Open
Open
[Intel]: https://www.mandiant.com/resources/unc2891-overview#112
Assignees
timb-machine
Labels
missing:tag:Non-persistentStoragemissing:tag:T1003.008missing:tag:T1005missing:tag:T1007missing:tag:T1021.002missing:tag:T1037missing:tag:T1048missing:tag:T1053.006missing:tag:T1057missing:tag:T1070.004missing:tag:T1071.001missing:tag:T1078.003missing:tag:T1491missing:tag:T1543.002missing:tag:T1546.004missing:tag:T1567missing:tag:T1573missing:tag:T1590
@timb-machine

Description

@timb-machine
timb-machine
opened on Apr 19, 2022

Area

Malware reports

Parent threat

Lateral Movement, Credential Access, Execution, Defense Evasion, Persistence

Finding

https://www.mandiant.com/resources/unc2891-overview

Industry reference

attack:T1021.004:SSH
attack:T1003.008:/etc/passwd and /etc/shadow
attack:T1552.003:Bash History
attack:T1552.004:Private Keys
attack:T1556.003:Pluggable Authentication Modules
attack:T1053.001:At (Linux)
attack:T1059.004:Unix Shell
attack:T1014:Rootkit
attack:T1070.002:Clear Linux or Mac System Logs
attack:T1548.001:Setuid and Setgid
attack:T1543.002:Systemd Service
attack:T1547.006:Kernel Modules and Extensions

Malware reference

#134
TINYSHELL
SLAPSTICK
CAKETAP
WIPERIGHT
MIG Logcleaner
#154
BINBASH

Actor reference

UNC2891
UNC1945
LightBasin

Component

Linux, Solaris, Banking

Scenario

No response

Metadata

Metadata