← threatfilter.dev / all groups / Windigo
Windigo
Overview
The Windigo group has been operating since at least 2011, compromising thousands of Linux and Unix servers using the Ebury SSH backdoor to create a spam botnet. Despite law enforcement intervention against the creators, Windigo operators continued updating Ebury through 2019.
TTPs — 7 techniques across 5 tactics
Initial Access
-
T1189Drive-by Compromise
Execution
Discovery
-
T1082System Information Discovery -
T1083File and Directory Discovery -
T1518Software Discovery
Collection
-
T1005Data from Local System
Command and Control
-
T1090Proxy
Tools & malware (1)
Ebury
Reporting (2)
- 2019/06/04 Advisory: Windigo attacks — CERN
- Operation Windigo – the vivisection of a large Linux server‑side credential‑stealing malware campaign — Bilodeau, O., Bureau, M., Calvet, J., Dorais-Joncas, A., Léveillé, M., Vanheuverzwijn, B