Concrete signature match: Trojan - Appears legitimate but performs malicious actions for Linux platform, family Kaiji
This detection identifies Trojan:Linux/Kaiji.E!MTB, a specific variant of the Kaiji Trojan targeting Linux systems. Kaiji is typically associated with establishing botnets, performing DDoS attacks, and potentially credential theft. The detection, which combines concrete signature matching with machine learning behavioral analysis, indicates a high-confidence identification of this malicious ELF executable.
No specific strings found for this threat
rule Trojan_Linux_Kaiji_E_2147928899_0
{
meta:
author = "threatcheck.sh"
detection_name = "Trojan:Linux/Kaiji.E!MTB"
threat_id = "2147928899"
type = "Trojan"
platform = "Linux: Linux platform"
family = "Kaiji"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
threshold = "2"
strings_accuracy = "High"
strings:
$x_1_1 = {08 10 9a e5 01 00 5d e1 33 00 00 9a 10 e0 2d e5 d4 00 9f e5 04 00 8d e5 0a 2e 00 eb 08 30 9d e5 05 00 a0 e3 04 00 83 e5 c0 10 9f e5 00 10 83 e5 bc 10 9f e5 08 10 83 e5 14 00 83 e5 b4 00 9f e5 10 00 83 e5 b0 00 9f e5 18 00 83 e5 02 00 a0 e3} //weight: 1, accuracy: High
$x_1_2 = {9e e6 00 eb c4 03 9f e5 04 00 8d e5 10 10 a0 e3 08 10 8d e5 f1 e8 00 eb 30 00 9d e5 04 00 8d e5 28 00 9d e5 01 00 40 e2 08 00 8d e5 eb e8 00 eb 9c 03 9f e5 04 00 8d e5 20 10 a0 e3 08 10 8d e5} //weight: 1, accuracy: High
condition:
(filesize < 20MB) and
(all of ($x*))
}4a97b1c545ae2f9f5e3b5aad2db93a763aaeed9678ef6fbf3d5149f912a31e93Immediately isolate the affected Linux system to prevent further compromise. Perform a full system scan with up-to-date security software and remove all detected threats. Investigate for signs of lateral movement or persistence, patch any exploited vulnerabilities, and strengthen network security controls.