Concrete signature match: Trojan - Appears legitimate but performs malicious actions for Linux platform, family Mirai
This is a variant of the Mirai botnet malware that compromises Linux-based systems, such as IoT devices and servers. The threat establishes a backdoor to gain remote control, enrolls the device into a botnet for DDoS attacks, and may attempt to spread to or attack other systems on the network.
Relevant strings associated with this threat: - /ver.txt (PEHSTR_EXT) - /update.txt (PEHSTR_EXT) - http://%s:8888/ (PEHSTR_EXT) - \msinfo.exe (PEHSTR_EXT) - /delete /f /tn msinfo (PEHSTR_EXT) - //%s:8888/ups.rar (PEHSTR_EXT) - //%s:8888/wpd.dat (PEHSTR_EXT) - //%s:8888/wpdmd5.txt (PEHSTR_EXT) - //down2.b5w91.com:8443 (PEHSTR_EXT) - /shell?%s (PEHSTR_EXT) - ;exec sp_add_jobserver (PEHSTR_EXT) - ;EXEC sp_droplogin (PEHSTR_EXT) - ;exec(@a); (PEHSTR_EXT) - <sip:carol@chicago.com> (PEHSTR_EXT) - @name='bat.exe',@freq_type=4,@active_start_date (PEHSTR_EXT) - @shell INT EXEC SP_ (PEHSTR_EXT) - [Cracker:MSSQL] Host:%s, blindExec CMD: %s (PEHSTR_EXT) - [ExecCode] (PEHSTR_EXT) - [ExecCode]AUTHORIZATION [dbo] FROM 0x4D5A (PEHSTR_EXT) - \Run','rundll32'; (PEHSTR_EXT) - C:\Progra~1\kugou2010&attrib (PEHSTR_EXT) - C:\Progra~1\mainsoft&attrib (PEHSTR_EXT) - C:\Progra~1\shengda&attrib (PEHSTR_EXT) - cmd3:[%s] (PEHSTR_EXT) - DROP ASSEMBLY ExecCode (PEHSTR_EXT) - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT) - rundll32 (PEHSTR_EXT) - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT) - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT) - !#HSTR:ExecutionGuardrails (PEHSTR_EXT) - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT) - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
rule Trojan_Linux_Mirai_2147740141_0
{
meta:
author = "threatcheck.sh"
detection_name = "Trojan:Linux/Mirai!MTB"
threat_id = "2147740141"
type = "Trojan"
platform = "Linux: Linux platform"
family = "Mirai"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
threshold = "4"
strings_accuracy = "High"
strings:
$x_1_1 = "/bin/busybox ESTELLA" ascii //weight: 1
$x_1_2 = "chmod 777 .load;" ascii //weight: 1
$x_1_3 = "killall -9 busybox telnetd" ascii //weight: 1
$x_1_4 = "echo -e \"/bin/busybox telnetd -p9000 -l/bin/sh" ascii //weight: 1
condition:
(filesize < 20MB) and
(all of ($x*))
}4a99f4802d4a7c8db9f9f8c5cd07d9f650f5693fa2d42cc16eea44a56431883619da22b5025a9a9b7c29fc14a2205b0a6458bd13b0ebfad0077b7ca0feb29ff86012b94a2e7e1c86a8184ecb88b8f295f037a87a3268fd357597a0b39f6cdef4c80c6228ca08007ae6de2fadd86fc12aa75f2f1c96eb3c2e429da1cef3fedffa99e33c5f3bcc871734d738567c607b66dec14bf482805ceb10921a531da881e0Immediately isolate the infected device from the network to prevent lateral movement and C2 communication. Re-image the system or perform a factory reset, then immediately change all default credentials. Ensure the device is fully patched and harden its configuration by disabling unnecessary services like Telnet.