Mirai Botnet TR-069 Worm - Renesas SH LSB

Hunt Hypothesis

The detection identifies potential Mirai Botnet TR-069 worm activity targeting Renesas SH LSB devices through suspicious TR-069 protocol interactions. SOC teams should proactively hunt for this behavior to identify and mitigate early-stage botnet infections in IoT environments before widespread network compromise occurs.

YARA Rule

rule Mirai_Renesas_SH : MALW
{
	meta:
		description = "Mirai Botnet TR-069 Worm - Renesas SH LSB" 
		author = "Felipe Molina / @felmoltor"
		date = "2016-12-04"
		version = "1.0" 
		MD5 = "863dcf82883c885b0686dce747dcf502"
		SHA1 = "bdc86295fad70480f0c6edcc37981e3cf11d838c"
		ref1 = "http://www.theregister.co.uk/2016/11/28/router_flaw_exploited_in_massive_attack/"	
		ref2 = "https://isc.sans.edu/forums/diary/Port+7547+SOAP+Remote+Code+Execution+Attack+Against+DSL+Modems/21759" 
		ref3 = "https://krebsonsecurity.com/2016/11/new-mirai-worm-knocks-900k-germans-offline/"

	strings:
		$miname = "Myname--is:"
		$iptables1 = "busybox iptables -A INPUT -p tcp --destination-port 7547 -j DROP"
		$iptables2 = "busybox iptables -A INPUT -p tcp --destination-port 5555 -j DROP"
		$procnet = "/proc/net/tcp"

	condition:
		$miname and $iptables1 and $iptables2 and $procnet and 
		hash.sha1(0,filesize) == "bdc86295fad70480f0c6edcc37981e3cf11d838c"
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Job
  Description: A legitimate system maintenance job runs on a Renesas SH LSB device, triggering network traffic consistent with the detection logic.
  Filter/Exclusion: device_type = "Renesas SH LSB" AND event_type = "scheduled_job" AND source_port = 53

• Scenario: DNS Server Query from Internal Network
  Description: A DNS query from an internal DNS server to a Renesas SH LSB device is misinterpreted as a TR-069 worm attempt.
  Filter/Exclusion: source_ip IN (internal_dns_servers) AND destination_port = 53

• Scenario: Remote Management Tool (e.g., IPMI) Usage
  Description: An administrator uses IPMI or similar remote management tools to access the Renesas SH LSB device, generating traffic that matches the detection logic.
  Filter/Exclusion: user = "admin" AND tool = "IPMI" AND destination_port = 53

• Scenario: Automated Firmware Update Task
  Description: A firmware update task initiated by a configuration management tool (e.g., Ansible, Puppet) triggers traffic that resembles the TR-069 worm behavior.
  Filter/Exclusion: task_name = "firmware_update" AND source_ip IN (management_servers) AND destination_port = 53

• Scenario: Log Collection Agent Communication
  Description: A log collection agent (e.g., Splunk, ELK stack) communicates with the Renesas SH LSB device, generating traffic that matches the detection rule.
  Filter/Exclusion: agent_type = "log_collector" AND source_ip IN (log_servers) AND destination_port = 53