Concrete signature match: Trojan - Appears legitimate but performs malicious actions for Linux platform, family Mirai
This is a variant of the Mirai botnet malware that compromises Linux-based systems, such as IoT devices and servers. The threat establishes a backdoor to gain remote control, enrolls the device into a botnet for DDoS attacks, and may attempt to spread to or attack other systems on the network.
Relevant strings associated with this threat: - /ver.txt (PEHSTR_EXT) - /update.txt (PEHSTR_EXT) - http://%s:8888/ (PEHSTR_EXT) - \msinfo.exe (PEHSTR_EXT) - /delete /f /tn msinfo (PEHSTR_EXT) - //%s:8888/ups.rar (PEHSTR_EXT) - //%s:8888/wpd.dat (PEHSTR_EXT) - //%s:8888/wpdmd5.txt (PEHSTR_EXT) - //down2.b5w91.com:8443 (PEHSTR_EXT) - /shell?%s (PEHSTR_EXT) - ;exec sp_add_jobserver (PEHSTR_EXT) - ;EXEC sp_droplogin (PEHSTR_EXT) - ;exec(@a); (PEHSTR_EXT) - <sip:carol@chicago.com> (PEHSTR_EXT) - @name='bat.exe',@freq_type=4,@active_start_date (PEHSTR_EXT) - @shell INT EXEC SP_ (PEHSTR_EXT) - [Cracker:MSSQL] Host:%s, blindExec CMD: %s (PEHSTR_EXT) - [ExecCode] (PEHSTR_EXT) - [ExecCode]AUTHORIZATION [dbo] FROM 0x4D5A (PEHSTR_EXT) - \Run','rundll32'; (PEHSTR_EXT) - C:\Progra~1\kugou2010&attrib (PEHSTR_EXT) - C:\Progra~1\mainsoft&attrib (PEHSTR_EXT) - C:\Progra~1\shengda&attrib (PEHSTR_EXT) - cmd3:[%s] (PEHSTR_EXT) - DROP ASSEMBLY ExecCode (PEHSTR_EXT) - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT) - rundll32 (PEHSTR_EXT) - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT) - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT) - !#HSTR:ExecutionGuardrails (PEHSTR_EXT) - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT) - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
rule Trojan_Linux_Mirai_2147740141_0
{
meta:
author = "threatcheck.sh"
detection_name = "Trojan:Linux/Mirai!MTB"
threat_id = "2147740141"
type = "Trojan"
platform = "Linux: Linux platform"
family = "Mirai"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
threshold = "4"
strings_accuracy = "High"
strings:
$x_1_1 = "/bin/busybox ESTELLA" ascii //weight: 1
$x_1_2 = "chmod 777 .load;" ascii //weight: 1
$x_1_3 = "killall -9 busybox telnetd" ascii //weight: 1
$x_1_4 = "echo -e \"/bin/busybox telnetd -p9000 -l/bin/sh" ascii //weight: 1
condition:
(filesize < 20MB) and
(all of ($x*))
}000a43a528055f8eb373bc1d26dcf0a417d33fcdc5b4cd9326b8e057bba6a785001cf9427a1b4a59ee7a04e047928645dd21e196ab033b23c3a0b6b68cfa4c6d002683b78b498f0026d08ffc0b0674b44b7111c8a424c801839ecd0f67d8c54b003048345e910a255e544ed3068ef7c2f323bd0e8add45cc0e2b26bd69c99fae0040611ca75906dd078983aa19376168837aa4cf1882baaffeaa00ca6607041bImmediately isolate the infected device from the network to prevent lateral movement and C2 communication. Re-image the system or perform a factory reset, then immediately change all default credentials. Ensure the device is fully patched and harden its configuration by disabling unnecessary services like Telnet.