Movatterモバイル変換

[0]ホーム
URL:

  1. Home
  2. Software
  3. Green Lambert

Green Lambert

Green Lambert is a modular backdoor that security researchers assess has been used by an advanced threat group referred to as Longhorn and The Lamberts. First reported in 2017, the Windows variant ofGreen Lambert may have been used as early as 2008; a macOS version was uploaded to a multiscanner service in September 2014.[1][2]

ID: S0690
Type: MALWARE
Platforms: Windows, iOS, macOS, Linux
Contributors: Runa Sandvik
Version: 1.0
Created: 21 March 2022
Last Modified: 16 April 2025
Enterprise Layer
downloadview

Techniques Used

DomainIDNameUse
EnterpriseT1071.004Application Layer Protocol:DNS

Green Lambert can use DNS for C2 communications.[2][3]

EnterpriseT1547.015Boot or Logon Autostart Execution:Login Items

Green Lambert can addLogin Items to establish persistence.[2][3]

EnterpriseT1037.004Boot or Logon Initialization Scripts:RC Scripts

Green Lambert can addinit.d andrc.d files in the/etc folder to establish persistence.[2][3]

EnterpriseT1059.004Command and Scripting Interpreter:Unix Shell

Green Lambert can use shell scripts for execution, such as/bin/sh -c.[2][3]

EnterpriseT1543.001Create or Modify System Process:Launch Agent

Green Lambert can create aLaunch Agent with theRunAtLoad key-value pair set totrue, ensuring thecom.apple.GrowlHelper.plist file runs every time a user logs in.[2][3]

.004Create or Modify System Process:Launch Daemon

Green Lambert can add a plist file in theLibrary/LaunchDaemons to establish persistence.[2][3]

EnterpriseT1555.001Credentials from Password Stores:Keychain

Green Lambert can use Keychain Services API functions to find and collect passwords, such asSecKeychainFindInternetPassword andSecKeychainItemCopyAttributesAndData.[2][3]

EnterpriseT1005Data from Local System

Green Lambert can collect data from a compromised host.[2]

EnterpriseT1140Deobfuscate/Decode Files or Information

Green Lambert can use multiple custom routines to decrypt strings prior to execution.[2][3]

EnterpriseT1546.004Event Triggered Execution:Unix Shell Configuration Modification

Green Lambert can establish persistence on a compromised host through modifying theprofile,login, and run command (rc) files associated with thebash,csh, andtcsh shells.[2][3]

EnterpriseT1070.004Indicator Removal:File Deletion

Green Lambert can delete the original executable after initial installation in addition to unused functions.[2][3]

EnterpriseT1036.004Masquerading:Masquerade Task or Service

Green Lambert has created a new executable namedSoftware Update Check to appear legitimate.[2][3]

.005Masquerading:Match Legitimate Resource Name or Location

Green Lambert has been disguised as a Growl help file.[2][3]

EnterpriseT1027Obfuscated Files or Information

Green Lambert has encrypted strings.[2][3]

EnterpriseT1090Proxy

Green Lambert can use proxies for C2 traffic.[2][3]

EnterpriseT1082System Information Discovery

Green Lambert can useuname to identify the operating system name, version, and processor type.[2][3]

EnterpriseT1016System Network Configuration Discovery

Green Lambert can obtain proxy information from a victim's machine using system environment variables.[2][3]

EnterpriseT1124System Time Discovery

Green Lambert can collect the date and time from a compromised host.[2][3]

References

×
[8]ページ先頭
©2009-2026 Movatter.jp