Compromise Client Software Binary

Adversaries may modify client software binaries to establish persistent access to systems. Client software enables users to access services provided by a server. Common client software types are SSH clients, FTP clients, email clients, and web browsers.

Adversaries may make modifications to client software binaries to carry out malicious tasks when those applications are in use. For example, an adversary may copy source code for the client software, add a backdoor, compile for the target, and replace the legitimate application binary (or support files) with the backdoored one. Since these applications may be routinely executed by the user, the adversary can leverage this for persistent access to the host.[1]

A common technique, is for adversaries to replace the pre-installed SSH client on the target with a trojanized one, enabling the attacker to maintain a backdoor on the host and persist on the machine.

Procedure Examples

Name Description
Ebury

Ebury has been embedded into modified OpenSSH binaries to gain persistent access to SSH credential information.[2]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

Collect and analyze signing certificate metadata and check signature validity on software that executes within the environment. Look for changes to client software that do not correlate with known software or patch cycles.

Consider monitoring for anomalous behavior from client applications, such as atypical module loads, file reads/writes, or network connections.

References

Attachments

ID
VT0014
MITRE ID
Sub-techniques
No sub-techniques
Tactic
Persistence
Platforms
Linux
Windows
macOS
Data Sources
Binary file metadata
Process monitoring
Version
1.0

Created: 21 December 2020

Last Modified: 27 December 2020