Concrete signature match: Trojan - Appears legitimate but performs malicious actions for Linux platform, family Mirai
This is a concrete detection of a Linux-based Trojan from the Mirai botnet family. The malware infects Linux systems to enslave them for Distributed Denial-of-Service (DDoS) attacks. Evidence suggests this variant also contains capabilities to scan for and exploit Microsoft SQL Server vulnerabilities on Windows systems to propagate further within a network.
Relevant strings associated with this threat: - /ver.txt (PEHSTR_EXT) - /update.txt (PEHSTR_EXT) - http://%s:8888/ (PEHSTR_EXT) - \msinfo.exe (PEHSTR_EXT) - /delete /f /tn msinfo (PEHSTR_EXT) - //%s:8888/ups.rar (PEHSTR_EXT) - //%s:8888/wpd.dat (PEHSTR_EXT) - //%s:8888/wpdmd5.txt (PEHSTR_EXT) - //down2.b5w91.com:8443 (PEHSTR_EXT) - /shell?%s (PEHSTR_EXT) - ;exec sp_add_jobserver (PEHSTR_EXT) - ;EXEC sp_droplogin (PEHSTR_EXT) - ;exec(@a); (PEHSTR_EXT) - <sip:carol@chicago.com> (PEHSTR_EXT) - @name='bat.exe',@freq_type=4,@active_start_date (PEHSTR_EXT) - @shell INT EXEC SP_ (PEHSTR_EXT) - [Cracker:MSSQL] Host:%s, blindExec CMD: %s (PEHSTR_EXT) - [ExecCode] (PEHSTR_EXT) - [ExecCode]AUTHORIZATION [dbo] FROM 0x4D5A (PEHSTR_EXT) - \Run','rundll32'; (PEHSTR_EXT) - C:\Progra~1\kugou2010&attrib (PEHSTR_EXT) - C:\Progra~1\mainsoft&attrib (PEHSTR_EXT) - C:\Progra~1\shengda&attrib (PEHSTR_EXT) - cmd3:[%s] (PEHSTR_EXT) - DROP ASSEMBLY ExecCode (PEHSTR_EXT) - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT) - rundll32 (PEHSTR_EXT) - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT) - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT) - !#HSTR:ExecutionGuardrails (PEHSTR_EXT) - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT) - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
rule Trojan_Linux_Mirai_AMTB_2147957847_0
{
meta:
author = "threatcheck.sh"
detection_name = "Trojan:Linux/Mirai!AMTB"
threat_id = "2147957847"
type = "Trojan"
platform = "Linux: Linux platform"
family = "Mirai"
severity = "Critical"
signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
threshold = "5"
strings_accuracy = "High"
strings:
$x_1_1 = "fuser -k -n tcp %d 2>/dev/null" ascii //weight: 1
$x_1_2 = "NFnhiFSDfdsfFSD" ascii //weight: 1
$x_1_3 = "[locker] fcntl F_GETFL" ascii //weight: 1
$x_1_4 = "[locker] fcntl F_SETFL" ascii //weight: 1
$x_1_5 = "npxXoudifFeEgGaACScs" ascii //weight: 1
condition:
(filesize < 20MB) and
(all of ($x*))
}146bd08cc8eb08e41f981cbe699d24060e5435e5a20ae50bd486b2c4ff62ffee19da6d3eb23bf6e9003059d7a858f78b88abac28ff9f4db084eb042ffe34d38935c9d3da8b79dadf8d48c56a2b82fe86f4c59508e8cf5128a642ba0a41812186bc761ff9c87e32b44563fce7236d5dcf5e16ad1a8e91ca91b74a7077070ffa0dc2c61d4a983e8195f5e346efc23cc797eebf5e74f166b344b93e2ef64f421b0eImmediately isolate the infected Linux device from the network to prevent C2 communication and participation in DDoS attacks. Identify and terminate the malicious process, then delete the associated file. Review firewall and server logs for outbound scanning and exploitation attempts against Windows and MSSQL systems originating from this host. Change all credentials on the compromised device and ensure all services are patched and securely configured.