Concrete signature match: Backdoor - Provides unauthorized remote access for Linux platform, family Mirai
Backdoor:Linux/Mirai!rfn is a variant of the Mirai botnet malware. Although running on a Linux system, this variant is equipped with capabilities to scan for and exploit vulnerable Microsoft SQL (MSSQL) servers, enabling it to spread to Windows environments and add them to the botnet.
Relevant strings associated with this threat: - /ver.txt (PEHSTR_EXT) - /update.txt (PEHSTR_EXT) - http://%s:8888/ (PEHSTR_EXT) - \msinfo.exe (PEHSTR_EXT) - /delete /f /tn msinfo (PEHSTR_EXT) - //%s:8888/ups.rar (PEHSTR_EXT) - //%s:8888/wpd.dat (PEHSTR_EXT) - //%s:8888/wpdmd5.txt (PEHSTR_EXT) - //down2.b5w91.com:8443 (PEHSTR_EXT) - /shell?%s (PEHSTR_EXT) - ;exec sp_add_jobserver (PEHSTR_EXT) - ;EXEC sp_droplogin (PEHSTR_EXT) - ;exec(@a); (PEHSTR_EXT) - <sip:carol@chicago.com> (PEHSTR_EXT) - @name='bat.exe',@freq_type=4,@active_start_date (PEHSTR_EXT) - @shell INT EXEC SP_ (PEHSTR_EXT) - [Cracker:MSSQL] Host:%s, blindExec CMD: %s (PEHSTR_EXT) - [ExecCode] (PEHSTR_EXT) - [ExecCode]AUTHORIZATION [dbo] FROM 0x4D5A (PEHSTR_EXT) - \Run','rundll32'; (PEHSTR_EXT) - C:\Progra~1\kugou2010&attrib (PEHSTR_EXT) - C:\Progra~1\mainsoft&attrib (PEHSTR_EXT) - C:\Progra~1\shengda&attrib (PEHSTR_EXT) - cmd3:[%s] (PEHSTR_EXT) - DROP ASSEMBLY ExecCode (PEHSTR_EXT) - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT) - rundll32 (PEHSTR_EXT) - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT) - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT) - !#HSTR:ExecutionGuardrails (PEHSTR_EXT) - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT) - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
b534e3d3558aa6644d8a2fed139d6075a93be2507df2b389084dbacd6af2a6579ad29cce4377ced652679237e6cace88c22693d25d1bd79781b0c5242e79317db1f0280e9207cecace9d49169630945086e5a9bd8e757dcf58a5a33f9ff7f726858af8cba31f33905f8aa6bd9e63c8de72687a47621371e290fbc28ced58068c36583f5cb244ffeaab3078927997f6980fec89146df91d5edf1bb9d018ae7ce8Immediately isolate the compromised Linux host to prevent further scanning and lateral movement. Investigate network logs for outbound connections to MSSQL servers (port 1433). Scan and patch all MSSQL servers for vulnerabilities, ensure strong 'sa' passwords, and block the identified command-and-control domains at the network perimeter.