Concrete signature match: Backdoor - Provides unauthorized remote access for Linux platform, family Winnti
This threat is a concrete detection of a Backdoor from the Winnti APT group, specifically targeting Linux systems. It is designed to perform system reconnaissance (e.g., extracting UUID), establish covert command-and-control (C2) communication using HTTP CONNECT tunneling, and execute remote commands, potentially including hiding shell processes. The malware exhibits sophisticated network interaction, custom event handling, and raw data transmission capabilities.
Relevant strings associated with this threat: - SetAppInitDllDataInf (PEHSTR_EXT) - \svchost.exe (PEHSTR_EXT) - X_LAST: (PEHSTR) - X-MARK: (PEHSTR) - send: %u shutdown. (PEHSTR) - send: %u encode error. (PEHSTR) - send: %u mem error. (PEHSTR) - send: %u not found. (PEHSTR) - 3event handler: already in process, %u, e=%u, p=%u. (PEHSTR) - event handler: ending. uid=%u. (PEHSTR) - event handler: fetch error, %u. (PEHSTR) - -event handler: packet=%u, enter, %u, tid=%u. (PEHSTR) - -event handler: packet=%u, leave, %u, tid=%u. (PEHSTR) - %event handler: target not found, %u. (PEHSTR) - )event handler: unknown unit type=%u, %u. (PEHSTR) - 3wait4post: Begin, ptr=%#X, len=%u, uid=%u, tid=%u. (PEHSTR) - (wait4post: End, uid=%u, res=%u, tid=%u. (PEHSTR) - send raw: rebuild error. (PEHSTR) - sendraw: chunk, uid=%u. (PEHSTR) - sendraw: hdr deliver. uid=%u. (PEHSTR) - <sendraw: post error, uid=%u, ptr=%#X, len=%u, res=%#X, %#X. (PEHSTR) - ,sendraw: ptr=%#X, len=%u, state=%u, uid=%u. (PEHSTR) - |#d1e49aac-8f56-4280-b9ba-993a6d77406c (NID) - }#d1e49aac-8f56-4280-b9ba-993a6d77406c (NID) - &|#b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 (NID) - &}#b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 (NID) - y*|#56a863a9-875e-4185-98a7-b882c64b5ce5 (NID) - y*}#56a863a9-875e-4185-98a7-b882c64b5ce5 (NID) - C|#be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 (NID) - C}#be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 (NID) - L|#3b576869-a4ec-4529-8536-b80a7769e899 (NID) - L}#3b576869-a4ec-4529-8536-b80a7769e899 (NID) - |#5beb7efe-fd9a-4556-801d-275e5ffc04cc (NID) - }#5beb7efe-fd9a-4556-801d-275e5ffc04cc (NID) - |#01443614-cd74-433a-b99e-2ecdc07bfc25 (NID) - }#01443614-cd74-433a-b99e-2ecdc07bfc25 (NID) - |#d3e037e1-3eb8-44c8-a917-57927947596d (NID) - }#d3e037e1-3eb8-44c8-a917-57927947596d (NID) - |#7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c (NID) - }#7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c (NID) - |#92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b (NID) - }#92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b (NID)
rule Backdoor_Linux_Winnti_A_2147735867_0
{
meta:
author = "threatcheck.sh"
detection_name = "Backdoor:Linux/Winnti.A!dha"
threat_id = "2147735867"
type = "Backdoor"
platform = "Linux: Linux platform"
family = "Winnti"
severity = "Critical"
info = "dha: an internal category used to refer to some threats"
signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
threshold = "4"
strings_accuracy = "High"
strings:
$x_1_1 = "[advNetSrv] can not create a PF_INET socket" ascii //weight: 1
$x_1_2 = "/usr/sbin/dmidecode | grep -i 'UUID' |cut -d' ' -f2 2>/dev/null" ascii //weight: 1
$x_1_3 = "CONNECT %s:%d HTTP/1.0" ascii //weight: 1
$x_1_4 = "HIDE_THIS_SHELL=" ascii //weight: 1
condition:
(filesize < 20MB) and
(all of ($x*))
}fc31793647211892bcb40db21f51a07f3b552804e76d71803dbb11aca7d375b7Immediately isolate the compromised Linux system from the network. Utilize endpoint detection and response (EDR) or antivirus tools to quarantine and remove the backdoor. Conduct a thorough forensic investigation to identify the initial compromise vector, assess the extent of the breach, and confirm no persistence mechanisms remain. Reset all potentially compromised credentials and implement robust system hardening measures, including patching and network segmentation, to prevent re-infection.