Concrete signature match: Trojan - Appears legitimate but performs malicious actions for Linux platform, family SAgnt
This is a concrete detection of Trojan:Linux/SAgnt.S!MTB, a sophisticated Linux-based Trojan. It exhibits capabilities indicative of a multi-platform threat, containing strings associated with Windows-specific attack techniques such as abusing legitimate binaries (mshta, regsvr32, rundll32, bitsadmin, schtasks, PowerShell), Windows API hooking for monitoring (WH_MOUSE, WH_SHELL), and data encoding, suggesting it can deploy or manage Windows-targeting payloads or act as a C2 component.
Relevant strings associated with this threat: - !#HSTR:IntentBase64 (PEHSTR_EXT) - ToBase64String (PEHSTR_EXT) - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT) - mshta (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT) - WH_MOUSE (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT) - WH_SHELL (PEHSTR_EXT) - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT) - regsvr32 (PEHSTR_EXT) - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT) - rundll32 (PEHSTR_EXT) - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT) - bitsadmin (PEHSTR_EXT) - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT) - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT) - shch (PEHSTR_EXT) - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
rule Trojan_Linux_SAgnt_S_2147935645_0
{
meta:
author = "threatcheck.sh"
detection_name = "Trojan:Linux/SAgnt.S!MTB"
threat_id = "2147935645"
type = "Trojan"
platform = "Linux: Linux platform"
family = "SAgnt"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
threshold = "3"
strings_accuracy = "High"
strings:
$x_1_1 = {31 c9 ba 00 10 00 00 48 89 ee 89 df e8 08 fd ff ff 85 c0 48 89 c2 89 c1 7e 21 48 89 e8 80 30 99 48 ff c0 89 c6 29 ee 39 ce 7c f2 48 63 d2 48 89 ee 44 89 ef} //weight: 1, accuracy: High
$x_1_2 = {31 c0 b9 00 04 00 00 48 89 ef f3 ab 89 df e8 1b fd ff ff 49 8b 3c 24 48 8d b4 24 30 08 00 00 31 c0 e8 78 fd ff ff 48 8d b4 24 30 08 00 00 ba 01 00 00 00 bf 52 0e 40 00 31 c0 e8 bf fc ff ff 48 8b 15 d8 06 20 00 48 8d 74 24 10 44 89 ef 31 c0 48 c7 44 24 10 56 0e 40 00 48 c7 44 24 18 00 00 00 00 e8 07 fd ff ff 89 df e8 c0 fc ff ff 48 81 c4 38 1c 00 00 31 c0 5b 5d 41 5c 41 5d c3} //weight: 1, accuracy: High
$x_1_3 = {66 44 8b 4c 24 22 41 b8 c5 0d 40 00 66 41 c1 c9 08 45 0f b7 c9 48 89 ef b9 a4 0d 40 00 41 51 68 a4 0d 40 00 ba c9 0d 40 00 be cd 0d 40 00 31 c0 e8 a7 fe ff ff 31 c9 ba 00 04 00 00 48 89 ee 89 df e8 f6 fd ff ff 31 c0 48 89 ef b9 00 01 00 00 f3 ab 31 ed 58} //weight: 1, accuracy: High
condition:
(filesize < 20MB) and
(all of ($x*))
}91cca9db00070f0ae92ae8bc14306b10fbd54e1bd5fe785c0e62cfecd92afa1fImmediately isolate the affected Linux system to prevent further compromise. Conduct a thorough forensic analysis to determine the initial compromise vector and scope of the attack, identifying any deployed Windows payloads or impacted Windows systems. Eradicate the malicious file, restore from clean backups if necessary, and ensure all systems are fully patched and hardened with up-to-date security software.