Description
The [Windigo](https://attack.mitre.org/groups/G0124) group has been operating since at least 2011, compromising thousands of Linux and Unix servers using the [Ebury](https://attack.mitre.org/software/S0377) SSH backdoor to create a spam botnet. Despite law enforcement intervention against the creators, [Windigo](https://attack.mitre.org/groups/G0124) operators continued updating [Ebury](https://attack.mitre.org/software/S0377) through 2019.(Citation: ESET Windigo Mar 2014)(Citation: CERN Windigo June 2019)
Techniques Used (TTPs)
- T1082 — System Information Discovery (discovery)
- T1005 — Data from Local System (collection)
- T1518 — Software Discovery (discovery)
- T1090 — Proxy (command-and-control)
- T1059 — Command and Scripting Interpreter (execution)
- T1083 — File and Directory Discovery (discovery)
- T1189 — Drive-by Compromise (initial-access)
Total TTPs: 7
Malware & Tools
Malware: Ebury