Mirai Variant 3 | SOC Hunt Feed

Hunt Hypothesis

Devices exhibiting unusual outbound DNS traffic to known Mirai botnet command and control servers may indicate the presence of a Mirai Variant 3 botnet within the network. Proactively hunting for this behavior in Azure Sentinel helps identify and mitigate potential distributed denial-of-service attacks before they escalate.

YARA Rule

rule Mirai_3 : MALW
{
    meta:
	description = "Mirai Variant 3"
	author = "Joan Soriano / @joanbtl"
	date = "2017-04-16"
	version = "1.0"
	MD5 = "bb22b1c921ad8fa358d985ff1e51a5b8"
	SHA1 = "432ef83c7692e304c621924bc961d95c4aea0c00"

    strings:
            $dir1 = "/dev/watchdog"
            $dir2 = "/dev/misc/watchdog"
            $s1 = "PMMV"
            $s2 = "ZOJFKRA"
            $s3 = "FGDCWNV"
            $s4 = "OMVJGP"
	    $ssl = "ssl3_ctrl"
    condition:
            $dir1 and $dir2 and $s1 and $s2 and $s3 and $s4 and not $ssl

}

Deployment Notes

This YARA rule can be deployed in the following contexts:

Microsoft Defender for Endpoint — Custom indicators / advanced hunting
Email Gateway — Attachment scanning
File Share Monitoring — Periodic scanning of shared drives
YARA CLI — Manual threat hunting on endpoints

This rule contains 7 string patterns in its detection logic.

Source Rule

False Positive Guidance

Scenario: Scheduled System Backup Using rsync
Description: A legitimate scheduled backup job using rsync may trigger the rule due to the use of rsync in the command line.
Filter/Exclusion: process.name != "rsync" or process.args !~ "rsync"
Scenario: Admin Task to Update IoT Devices via SSH
Description: An administrator may use SSH to update firmware or configurations on IoT devices, which could be flagged by the rule.
Filter/Exclusion: process.name != "ssh" or process.args !~ "ssh"
Scenario: Cron Job for Network Monitoring Tool (e.g., nmap)
Description: A cron job running nmap to scan internal networks for connectivity issues may be misidentified as part of a Mirai variant.
Filter/Exclusion: process.name != "nmap" or process.args !~ "nmap"
Scenario: Log Collection via tcpdump on a Firewall
Description: A firewall or network appliance may use tcpdump to capture and analyze network traffic, which could trigger the rule.
Filter/Exclusion: process.name != "tcpdump" or process.args !~ "tcpdump"
Scenario: Docker Container Management with docker exec
Description: A system administrator may use docker exec to run commands inside a container, which could be flagged by the rule.
Filter/Exclusion: process.name != "docker" or process.args !~ "docker exec"