“capture its own executable path. with this information, it constructs the path for its temporary pid file inside the user ’ s home directory ( for example, < home > /. temp ). once the pid file location is prepared, the malware checks whether another running instance already exis…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1059.004Unix Shell
90%
“, as shown in figure 3. phase 3 after collecting the potential candidates, the next step was to process and rank them. since we focused on elf binaries in this research, we passed these files directly into the decompilation pipeline. in the third phase, the automated script sent …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1059.004Unix Shell
89%
“from the c & c server. supported commands allow the malware to provide a remote shell via “ / bin / sh ”, and perform various file and directory operations including creating, deleting, renaming, reading, and writing files, modifying file timestamps, and searching for files by ex…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1573Encrypted Channel
49%
“and task id 3 ( set status active ) when the status is registering ( figure 16 ). these registration packets are sent every second until the c & c server responds with a command that changes the client ' s status to active. once the malware receives the session id, it utilizes it…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1572Protocol Tunneling
41%
“' s main operation loop. the code iterates through a configured list of c & c servers, launching separate threads for asynchronous communication ( heartbeating, data receiving, and sending ) once a connection is established. this main thread then enters an idle state, waiting for…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1082System Information Discovery
39%
“register itself with the c & c server by calling registerselftoserver. this function spawns another worker thread, threadprocregisterselftoserver, and waits up to 10 seconds for it to complete. the registration thread gathers system information by creating an instance of the cbas…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1588.002Tool
36%
“##ented, and built largely from scratch. when threat actors avoid publicly available libraries, known github code, or code borrowed from other malware families, they create previously unseen samples that can evade detection and make hunting them significantly harder. in these cas…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1665Hide Infrastructure
35%
“cloud environments. trend vision one™ network security - 46704 : udp : backdoor. linux. ghostpenguin. a runtime detection trend micro™ threat intelligence to stay ahead of evolving threats, trend customers can access trend vision one™ threat insights which provides the latest ins…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
In this blog entry, Trend™ Research provides a comprehensive breakdown of GhostPenguin, a previously undocumented Linux backdoor with low detection rates that was discovered through AI-powered threat hunting and in-depth malware analysis.