The hypothesis is that the detection rule identifies potential adversarial activity involving the Derusbi Linux malware, leveraging string-based signatures to detect malicious ELF binaries associated with an advanced persistent threat. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise by an APT group utilizing stealthy, low-severity persistence mechanisms.
YARA Rule
rule apt_nix_elf_Derusbi_Linux_Strings
{
meta:
Author = "@seifreed"
strings:
$a1 = "loadso" wide ascii fullword
$a2 = "\nuname -a\n\n" wide ascii
$a3 = "/dev/shm/.x11.id" wide ascii
$a4 = "LxMain64" wide ascii nocase
$a5 = "# \\u@\\h:\\w \\$ " wide ascii
$b1 = "0123456789abcdefghijklmnopqrstuvwxyz" wide
$b2 = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ" wide
$b3 = "ret %d" wide fullword
$b4 = "uname -a\n\n" wide ascii
$b5 = "/proc/%u/cmdline" wide ascii
$b6 = "/proc/self/exe" wide ascii
$b7 = "cp -a %s %s" wide ascii
$c1 = "/dev/pts/4" wide ascii fullword
$c2 = "/tmp/1408.log" wide ascii fullword
condition:
uint32(0) == 0x464C457F and ((1 of ($a*) and 4 of ($b*)) or (1 of ($a*) and 1 of ($c*)) or 2 of ($a*) or all of ($b*))
}This YARA rule can be deployed in the following contexts:
This rule contains 14 string patterns in its detection logic.
Scenario: A system administrator is using strings to analyze a legitimate ELF binary for debugging purposes.
Filter/Exclusion: Check for the presence of strings in the command line and exclude processes where the binary path contains /usr/bin/strings or /bin/strings.
Scenario: A scheduled job runs apt to update packages, and the system is scanning the package cache with a tool like apt-file or dpkg.
Filter/Exclusion: Exclude processes where the command line includes apt or apt-file and the binary path is within /var/lib/apt/ or /usr/bin/apt.
Scenario: A developer is compiling a C program using gcc and the resulting ELF binary is being inspected with strings for string analysis.
Filter/Exclusion: Exclude processes where the command line includes gcc or strings and the binary path is within a development directory like /home/user/dev/.
Scenario: A security tool like ClamAV or Sophos is scanning files and uses strings internally to extract text from binaries.
Filter/Exclusion: Exclude processes where the parent process is a known antivirus or security tool (e.g., clamscan, sophos-antivirus) or where the binary path contains /usr/bin/clamscan or /opt/sophos/.
Scenario: A system is running a legitimate malware analysis tool like Cuckoo Sandbox or REMnux, which uses strings to extract information from binaries.
Filter/Exclusion: Exclude processes where the binary path contains /usr/local/cuckoo/ or /opt/remnux/ or where the parent process is a sandboxing tool.