Mirai Variant 2

Hunt Hypothesis

Devices exhibiting unusual outbound DNS traffic to known Mirai botnet command and control servers may indicate the presence of a Mirai variant, as these behaviors are commonly associated with IoT botnet communication. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential botnet infections before they can be leveraged for large-scale DDoS attacks.

YARA Rule

rule Mirai_2 : MALW
{
meta:
	description = "Mirai Variant 2"
	author = "Joan Soriano / @joanbtl"
	date = "2017-04-16"
	version = "1.0"
	MD5 = "0e5bda9d39b03ce79ab8d421b90c0067"
	SHA1 = "96f42a9fad2923281d21eca7ecdd3161d2b61655"

    strings:
	$dir1 = "/dev/watchdog"
	$dir2 = "/dev/misc/watchdog"
        $s1 = "PMMV"
        $s2 = "ZOJFKRA"
        $s3 = "FGDCWNV"
        $s4 = "OMVJGP"
    condition:
        $dir1 and $dir2 and $s1 and $s2 and $s3 and not $s4 

}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 6 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled System Backup Using rsync
  Description: A legitimate system backup process using rsync may trigger the rule due to similar command patterns.
  Filter/Exclusion: Exclude processes initiated by the root user with rsync in the command line and a destination path matching /backup/ or /var/backups/.

• Scenario: Admin Task Using nc for Network Testing
  Description: System administrators may use nc (netcat) to test network connectivity or port availability, which could resemble Mirai botnet behavior.
  Filter/Exclusion: Exclude processes where the user is root or admin, and the command includes nc -zv with a known internal IP range (e.g., 192.168.0.0/16).

• Scenario: Cron Job for Log Rotation
  Description: A cron job using logrotate may execute commands that resemble malicious activity, especially if it involves nc or dd for log management.
  Filter/Exclusion: Exclude processes with logrotate in the command line and a path in /etc/logrotate.d/ or /etc/cron.daily/.

• Scenario: Docker Container Management with docker exec
  Description: Docker commands like docker exec can be used to run shell commands inside containers, which might trigger the rule if the command includes suspicious utilities.
  Filter/Exclusion: Exclude processes where the command starts with docker exec and the container ID matches known trusted containers (e.g., nginx, redis, postgres).

• Scenario: Database Backup Using mysqldump
  Description: A database backup process using mysqldump might execute commands that look similar to Mirai’s command structure,