Concrete signature match: Trojan - Appears legitimate but performs malicious actions for Linux platform, family Mirai
This is a variant of the Mirai botnet malware that compromises Linux-based systems, such as IoT devices and servers. The threat establishes a backdoor to gain remote control, enrolls the device into a botnet for DDoS attacks, and may attempt to spread to or attack other systems on the network.
Relevant strings associated with this threat: - /ver.txt (PEHSTR_EXT) - /update.txt (PEHSTR_EXT) - http://%s:8888/ (PEHSTR_EXT) - \msinfo.exe (PEHSTR_EXT) - /delete /f /tn msinfo (PEHSTR_EXT) - //%s:8888/ups.rar (PEHSTR_EXT) - //%s:8888/wpd.dat (PEHSTR_EXT) - //%s:8888/wpdmd5.txt (PEHSTR_EXT) - //down2.b5w91.com:8443 (PEHSTR_EXT) - /shell?%s (PEHSTR_EXT) - ;exec sp_add_jobserver (PEHSTR_EXT) - ;EXEC sp_droplogin (PEHSTR_EXT) - ;exec(@a); (PEHSTR_EXT) - <sip:carol@chicago.com> (PEHSTR_EXT) - @name='bat.exe',@freq_type=4,@active_start_date (PEHSTR_EXT) - @shell INT EXEC SP_ (PEHSTR_EXT) - [Cracker:MSSQL] Host:%s, blindExec CMD: %s (PEHSTR_EXT) - [ExecCode] (PEHSTR_EXT) - [ExecCode]AUTHORIZATION [dbo] FROM 0x4D5A (PEHSTR_EXT) - \Run','rundll32'; (PEHSTR_EXT) - C:\Progra~1\kugou2010&attrib (PEHSTR_EXT) - C:\Progra~1\mainsoft&attrib (PEHSTR_EXT) - C:\Progra~1\shengda&attrib (PEHSTR_EXT) - cmd3:[%s] (PEHSTR_EXT) - DROP ASSEMBLY ExecCode (PEHSTR_EXT) - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT) - rundll32 (PEHSTR_EXT) - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT) - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT) - !#HSTR:ExecutionGuardrails (PEHSTR_EXT) - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT) - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
rule Trojan_Linux_Mirai_2147740141_0
{
meta:
author = "threatcheck.sh"
detection_name = "Trojan:Linux/Mirai!MTB"
threat_id = "2147740141"
type = "Trojan"
platform = "Linux: Linux platform"
family = "Mirai"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
threshold = "4"
strings_accuracy = "High"
strings:
$x_1_1 = "/bin/busybox ESTELLA" ascii //weight: 1
$x_1_2 = "chmod 777 .load;" ascii //weight: 1
$x_1_3 = "killall -9 busybox telnetd" ascii //weight: 1
$x_1_4 = "echo -e \"/bin/busybox telnetd -p9000 -l/bin/sh" ascii //weight: 1
condition:
(filesize < 20MB) and
(all of ($x*))
}b9d411ca4a365f3f9b0760e9b13747da5d8dd6033e5fe98027f0bdb812a7c7d0dc5a374ffa5bf4f3079dc0663aa765387ddec2403401aa580d66eae0dbec2620695c5be2cfc87c11d99ebf1fa0b0808d38b778039a684cd49d3b5f75e9a670949adbcd67e5b21d89b8eee016d2a0476679b09d5066644441f399e69a059d65c342818e9c2e20c3c288a02e3eac4e4ec813e9f48470b652606e0c7bd9f97b1f39Immediately isolate the infected device from the network to prevent lateral movement and C2 communication. Re-image the system or perform a factory reset, then immediately change all default credentials. Ensure the device is fully patched and harden its configuration by disabling unnecessary services like Telnet.