The hypothesis is that the detection identifies potential Linux-based malware droppers and their associated payloads, which could indicate the presence of a sophisticated adversary leveraging a known exploit vector. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise attempts that may evade traditional detection methods.
YARA Rule
rule ChickenDOS_Linux
{
meta:
author = "Jason Jones <[email protected]>"
description = "Linux-variant of Chicken ident for both dropper and dropped file"
source = "https://github.com/arbor/yara/blob/master/chicken.yara"
strings:
$cfg = "fake.cfg"
$file1 = "ThreadAttack.cpp"
$file2 = "Fake.cpp"
$str1 = "dns_array"
$str2 = "DomainRandEx"
$str3 = "cpu %llu %llu %llu %llu"
$str4 = "[ %02d.%02d %02d:%02d:%02d.%03ld ] [%lu] [%s] %s" ascii
condition:
$cfg and all of ($file*) and 3 of ($str*)
}This YARA rule can be deployed in the following contexts:
This rule contains 7 string patterns in its detection logic.
Scenario: System update or package installation using apt or yum
Description: A legitimate system update might include scripts or binaries that resemble the malicious behavior of the Chicken ident dropper.
Filter/Exclusion: Exclude processes related to package managers (apt, yum, dnf, apt-get, aptitude) or known safe repositories.
Scenario: Scheduled backup or log rotation job
Description: A scheduled job using cron or systemd timer might execute scripts that are benign but have similar file or process patterns to the malicious dropper.
Filter/Exclusion: Exclude processes with cron, systemd, or logrotate in their command line, or filter by user root or backup if applicable.
Scenario: Admin task involving script execution or file transfer
Description: An administrator might manually transfer or execute scripts using tools like scp, rsync, or ssh, which could trigger the rule if the script matches the malicious pattern.
Filter/Exclusion: Exclude processes involving scp, rsync, ssh, or sftp, or filter by known admin users (e.g., admin, sudo, root).
Scenario: Use of legitimate security tools for malware analysis
Description: Security tools like ClamAV, Snort, or OSSEC might generate files or processes that resemble the Chicken ident dropper during analysis.
Filter/Exclusion: Exclude processes related to security tools (clamscan, snort, ossec, yara, virustotal) or files in quarantine or sandbox directories.
Scenario: Use of legitimate system utilities for file manipulation
Description: Tools like tar, gzip, cp, or mv might be used to move or extract files