Potentially Suspicious Malware Callback Communication - Linux

 1title: Potentially Suspicious Malware Callback Communication - Linux
 2id: dbfc7c98-04ab-4ab7-aa94-c74d22aa7376
 3related:
 4    - id: 4b89abaa-99fe-4232-afdd-8f9aa4d20382
 5      type: derived
 6status: experimental
 7description: |
 8        Detects programs that connect to known malware callback ports based on threat intelligence reports.
 9references:
10    - https://www.mandiant.com/resources/blog/triton-actor-ttp-profile-custom-attack-tools-detections
11    - https://www.mandiant.com/resources/blog/ukraine-and-sandworm-team
12    - https://www.elastic.co/guide/en/security/current/potential-non-standard-port-ssh-connection.html
13    - https://thehackernews.com/2024/01/systembc-malwares-c2-server-analysis.html
14    - https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors
15author: hasselj
16date: 2024/05/10
17tags:
18    - attack.persistence
19    - attack.command_and_control
20    - attack.t1571
21logsource:
22    category: network_connection
23    product: linux
24detection:
25    selection:
26        Initiated: 'true'
27        DestinationPort:
28            - 888
29            - 999
30            - 2200
31            - 2222
32            - 4000
33            - 4444
34            - 6789
35            - 8531
36            - 50501
37            - 51820
38    filter_main_local_ranges:
39        DestinationIp|cidr:
40            - '127.0.0.0/8'
41            - '10.0.0.0/8'
42            - '172.16.0.0/12'
43            - '192.168.0.0/16'
44            - '169.254.0.0/16'
45            - '::1/128'         # IPv6 loopback
46            - 'fe80::/10'       # IPv6 link-local addresses
47            - 'fc00::/7'        # IPv6 private addresses
48    condition: selection and not 1 of filter_main_*
49falsepositives:
50    - Unknown
51level: high

References

• TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping | Google Cloud Blog

  

  Tools and TTPs Indicate a Deep Interest in Ensuring Prolonged and Persistent Access to the Target Environment The targeted attack lifecycle of a sophisticated ICS attack is often measured in years....

  
  Read More

• Sandworm Team and the Ukrainian Power Authority Attacks | Mandiant | Google Cloud Blog

  

  Update 1.11.16 - SANS ICS Team Connects Dots Updating the blog entry to bring attention to the recent analysis published by Mike Assante from the SANS ICS team. "After analyzing the information tha...

  
  Read More

• Potential Non-Standard Port SSH connection | Elastic Security Solution [8.14] | Elastic

  

  Potential Non-Standard Port SSH connectionedit Identifies potentially malicious processes communicating via a port paring typically not associated with SSH. For example, SSH over port 2200 or port ...

  
  Read More

• SystemBC Malware's C2 Server Analysis Exposes Payload Delivery Tricks

  

  Cybersecurity experts reveal the inner workings of SystemBC's command-and-control (C2) server, a dangerous malware available on the dark web.

  
  Read More

• Sliver C2 Leveraged by Many Threat Actors

  

  Threat Research: Sliver C2 gets more and more traction from Threat Actors, often seen as an alternative from Cobalt Striker.

  
  Read More

Related rules

• Communication To Uncommon Destination Ports
• Potentially Suspicious Malware Callback Communication
• Bitsadmin to Uncommon TLD
• OilRig APT Schedule Task Persistence - System
• Bitsadmin to Uncommon IP Server Address