{ "type": "bundle", "id": "bundle--512f7360-3e9f-41ca-878f-d813af97ea7e", "spec_version": "2.0", "objects": [ { "aliases": [ "Windigo" ], "x_mitre_domains": [ "enterprise-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "intrusion-set--4e868dad-682d-4897-b8df-2dc98f46c68a", "type": "intrusion-set", "created": "2021-02-10T19:57:38.042Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "external_id": "G0124", "source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0124" }, { "source_name": "ESET Windigo Mar 2014", "url": "https://www.welivesecurity.com/2014/03/18/operation-windigo-the-vivisection-of-a-large-linux-server-side-credential-stealing-malware-campaign/", "description": "Bilodeau, O., Bureau, M., Calvet, J., Dorais-Joncas, A., L\u00e9veill\u00e9, M., Vanheuverzwijn, B. (2014, March 18). Operation Windigo \u2013 the vivisection of a large Linux server\u2011side credential\u2011stealing malware campaign. Retrieved February 10, 2021." }, { "source_name": "CERN Windigo June 2019", "url": "https://security.web.cern.ch/advisories/windigo/windigo.shtml", "description": "CERN. (2019, June 4). 2019/06/04 Advisory: Windigo attacks. Retrieved February 10, 2021." } ], "modified": "2021-04-26T22:32:57.046Z", "name": "Windigo", "description": "The [Windigo](https://attack.mitre.org/groups/G0124) group has been operating since at least 2011, compromising thousands of Linux and Unix servers using the [Ebury](https://attack.mitre.org/software/S0377) SSH backdoor to create a spam botnet. Despite law enforcement intervention against the creators, [Windigo](https://attack.mitre.org/groups/G0124) operators continued updating [Ebury](https://attack.mitre.org/software/S0377) through 2019.(Citation: ESET Windigo Mar 2014)(Citation: CERN Windigo June 2019)", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" } ] }