Description
Adversaries may modify host software binaries to establish persistent access to systems. Software binaries/executables provide a wide range of system commands or services, programs, and libraries. Common software binaries are SSH clients, FTP clients, email clients, web browsers, and many other user or server applications.
Adversaries may establish persistence though modifications to host software binaries. For example, an adversary may replace or otherwise infect a legitimate application binary (or support files) with a backdoor. Since these binaries may be routinely executed by applications or the user, the adversary can leverage this for persistent access to the host. An adversary may also modify a software binary such as an SSH client in order to persistently collect credentials during logins (i.e., Modify Authentication Process).(Citation: Google Cloud Mandiant UNC3886 2024)
An adversary may also modify an existing binary by patching in malicious functionality (e.g., IAT Hooking/Entry point patching)(Citation: Unit42 Banking Trojans Hooking 2022) prior to the binary’s legitimate execution. For example, an adversary may modify the entry point of a binary to point to malicious code patched in by the adversary before resuming normal execution flow.(Citation: ESET FontOnLake Analysis 2021)
After modifying a binary, an adversary may attempt to impair defenses by preventing it from updating (e.g., via the yum-versionlock command or versionlock.list file in Linux systems that use the yum package manager).(Citation: Google Cloud Mandiant UNC3886 2024)
Platforms
Mitigations (1)
Code SigningM1045
Ensure all application component binaries are signed by the correct application developers.
Threat Groups (2)
| ID | Group | Context |
|---|---|---|
| G1048 | UNC3886 | [UNC3886](https://attack.mitre.org/groups/G1048) has trojanized Fortinet firmware and replaced the legitimate `/usr/bin/tac_plus` TACACS+ daemon for L... |
| G1023 | APT5 | [APT5](https://attack.mitre.org/groups/G1023) has modified legitimate binaries and scripts for Pulse Secure VPNs including the legitimate DSUpgrade.pm... |
Associated Software (18)
| ID | Name | Type | Context |
|---|---|---|---|
| S9014 | PHASEJAM | Malware | [PHASEJAM](https://attack.mitre.org/software/S9014) has modified legitimate components to enable persistence and execution, including inserting a web ... |
| S1116 | WARPWIRE | Malware | [WARPWIRE](https://attack.mitre.org/software/S1116) can embed itself into a legitimate file on compromised Ivanti Connect Secure VPNs.(Citation: Mandi... |
| S0604 | Industroyer | Malware | [Industroyer](https://attack.mitre.org/software/S0604) has used a Trojanized version of the Windows Notepad application for an additional backdoor per... |
| S1136 | BFG Agonizer | Malware | [BFG Agonizer](https://attack.mitre.org/software/S1136) uses DLL unhooking to remove user mode inline hooks that security solutions often implement. [... |
| S1118 | BUSHWALK | Malware | [BUSHWALK](https://attack.mitre.org/software/S1118) can embed into the legitimate `querymanifest.cgi` file on compromised Ivanti Connect Secure VPNs.(... |
| S0641 | Kobalos | Malware | [Kobalos](https://attack.mitre.org/software/S0641) replaced the SSH client with a trojanized SSH client to steal credentials on compromised systems.(C... |
| S0487 | Kessel | Malware | [Kessel](https://attack.mitre.org/software/S0487) has maliciously altered the OpenSSH binary on targeted systems to create a backdoor.(Citation: ESET ... |
| S0595 | ThiefQuest | Malware | [ThiefQuest](https://attack.mitre.org/software/S0595) searches through the <code>/Users/</code> folder looking for executable files. For each executab... |
| S1121 | LITTLELAMB.WOOLTEA | Malware | [LITTLELAMB.WOOLTEA](https://attack.mitre.org/software/S1121) can append malicious components to the `tmp/tmpmnt/bin/samba_upgrade.tar` archive inside... |
| S1184 | BOLDMOVE | Malware | [BOLDMOVE](https://attack.mitre.org/software/S1184) contains a watchdog-like feature that monitors a particular file for modification. If modification... |
| S0377 | Ebury | Malware | [Ebury](https://attack.mitre.org/software/S0377) modifies the `keyutils` library to add malicious behavior to the OpenSSH client and the curl library.... |
| S1119 | LIGHTWIRE | Malware | [LIGHTWIRE](https://attack.mitre.org/software/S1119) can imbed itself into the legitimate `compcheckresult.cgi` component of Ivanti Connect Secure VPN... |
| S0486 | Bonadan | Malware | [Bonadan](https://attack.mitre.org/software/S0486) has maliciously altered the OpenSSH binary on targeted systems to create a backdoor.(Citation: ESET... |
| S9010 | GlassWorm | Malware | [GlassWorm](https://attack.mitre.org/software/S9010) can modify hardware wallet applications.(Citation: Koi Glassworm New Tricks December 2025) |
| S0658 | XCSSET | Malware | [XCSSET](https://attack.mitre.org/software/S0658) uses a malicious browser application to replace the legitimate browser in order to continuously capt... |
| S1120 | FRAMESTING | Malware | [FRAMESTING](https://attack.mitre.org/software/S1120) can embed itself in the CAV Python package of an Ivanti Connect Secure VPN located in `/home/ven... |
| S1104 | SLOWPULSE | Malware | [SLOWPULSE](https://attack.mitre.org/software/S1104) is applied in compromised environments through modifications to legitimate Pulse Secure files.(Ci... |
| S1115 | WIREFIRE | Malware | [WIREFIRE](https://attack.mitre.org/software/S1115) can modify the `visits.py` component of Ivanti Connect Secure VPNs for file download and arbitrary... |
References
- Punsaen Boonyakarn, Shawn Chew, Logeswaran Nadarajan, Mathew Potaczek, Jakub Jozwiak, and Alex Marvi. (2024, June 18). Cloaked and Covert: Uncovering UNC3886 Espionage Operations. Retrieved September 24, 2024.
- Or Chechik. (2022, October 31). Banking Trojan Techniques: How Financially Motivated Malware Became Infrastructure. Retrieved September 27, 2023.
- Vladislav Hrčka. (2021, January 1). FontOnLake. Retrieved September 27, 2023.
Frequently Asked Questions
What is T1554 (Compromise Host Software Binary)?
T1554 is a MITRE ATT&CK technique named 'Compromise Host Software Binary'. It belongs to the Persistence tactic(s). Adversaries may modify host software binaries to establish persistent access to systems. Software binaries/executables provide a wide range of system commands or services, programs, and libraries. Com...
How can T1554 be detected?
Detection of T1554 (Compromise Host Software Binary) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1554?
There are 1 documented mitigations for T1554. Key mitigations include: Code Signing.
Which threat groups use T1554?
Known threat groups using T1554 include: UNC3886, APT5.