Linux.Bew Backdoor

Hunt Hypothesis

The Linux.Bew Backdoor detection rule identifies potential adversary persistence by monitoring for suspicious file modifications and unusual process executions commonly associated with backdoor activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate early-stage compromise attempts by adversaries leveraging Linux-based systems.

YARA Rule

rule LinuxBew: MALW
{
	meta:
		description = "Linux.Bew Backdoor"
		author = "Joan Soriano / @w0lfvan"
		date = "2017-07-10"
		version = "1.0"
		MD5 = "27d857e12b9be5d43f935b8cc86eaabf"
		SHA256 = "80c4d1a1ef433ac44c4fe72e6ca42395261fbca36eff243b07438263a1b1cf06"
	strings:
		$a = "src/secp256k1.c"
		$b = "hfir.u230.org"
		$c = "tempfile-x11session"
	condition:
		all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: System backup using rsync
  Description: A legitimate system backup process using rsync might trigger the rule due to file transfer activity.
  Filter/Exclusion: Exclude processes where the command line includes rsync and the destination is a known backup directory (e.g., /backup/ or /var/backups/).

• Scenario: Cron job for log rotation
  Description: A scheduled cron job using tools like logrotate may generate similar activity to the backdoor’s behavior.
  Filter/Exclusion: Exclude processes with logrotate in the command line and check for the presence of a known log rotation configuration file (e.g., /etc/logrotate.conf).

• Scenario: Admin using scp to transfer files
  Description: An administrator using scp to transfer files between servers may trigger the rule due to SSH-based file transfer.
  Filter/Exclusion: Exclude processes where the command line includes scp and the source/destination are known internal IP ranges or trusted hosts.

• Scenario: Automated software update using yum or apt
  Description: Package managers like yum or apt may execute scripts or transfer files that resemble malicious behavior.
  Filter/Exclusion: Exclude processes where the command line includes yum or apt and check for the presence of a known package manager log file (e.g., /var/log/yum.log or /var/log/apt/).

• Scenario: Scheduled job for system monitoring with nagios or zabbix
  Description: Monitoring tools like nagios or zabbix may execute scripts or transfer data that could be flagged by the rule.
  Filter/Exclusion: Exclude processes where the command line includes nagios or