Concrete signature match: Trojan Downloader - Downloads additional malware for Linux platform, family SAgnt
TrojanDownloader:Linux/SAgnt.G!MTB is a downloader detected on a Linux system. Despite its platform, the associated technical indicators suggest its primary function is to download and execute malicious payloads on Windows systems, utilizing native tools like PowerShell, Rundll32, and Scheduled Tasks for execution and persistence.
Relevant strings associated with this threat: - gq|#TEL (NID) - gq}#TEL (NID) - ToBase64String (PEHSTR_EXT) - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT) - WH_DEBUG (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT) - regsvr32 (PEHSTR_EXT) - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT) - rundll32 (PEHSTR_EXT) - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT) - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT) - ENIGMA (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
cd0d6a6646e3d1b9192d4362cfc014e30f225e8a679f4da548a8f5ee6aff6ccedf4fe36ee361e1507c096e54d46ecea644c962ae3aaad9b03cb5aa4f5eb7785e9a0e2a443cc6e7ef86280342bea30543bf40a44df83f97400c28f3b4f1c0fb62Isolate the compromised Linux system from the network. Identify and remove the malicious file and any associated persistence mechanisms (e.g., cron jobs, systemd services). Scan all Windows endpoints on the network for malicious payloads that may have been deployed from this host and investigate for signs of lateral movement.