The Linux/Onimiki malicious DNS server is likely being used by adversaries to exfiltrate data or establish command and control over compromised systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential data exfiltration or C2 channels early in the attack lifecycle.
YARA Rule
rule onimiki
{
meta:
description = "Linux/Onimiki malicious DNS server"
malware = "Linux/Onimiki"
operation = "Windigo"
author = "Olivier Bilodeau <[email protected]>"
created = "2014-02-06"
reference = "http://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf"
contact = "[email protected]"
source = "https://github.com/eset/malware-ioc/"
license = "BSD 2-Clause"
strings:
// code from offset: 0x46CBCD
$a1 = {43 0F B6 74 2A 0E 43 0F B6 0C 2A 8D 7C 3D 00 8D}
$a2 = {74 35 00 8D 4C 0D 00 89 F8 41 F7 E3 89 F8 29 D0}
$a3 = {D1 E8 01 C2 89 F0 C1 EA 04 44 8D 0C 92 46 8D 0C}
$a4 = {8A 41 F7 E3 89 F0 44 29 CF 29 D0 D1 E8 01 C2 89}
$a5 = {C8 C1 EA 04 44 8D 04 92 46 8D 04 82 41 F7 E3 89}
$a6 = {C8 44 29 C6 29 D0 D1 E8 01 C2 C1 EA 04 8D 04 92}
$a7 = {8D 04 82 29 C1 42 0F B6 04 21 42 88 84 14 C0 01}
$a8 = {00 00 42 0F B6 04 27 43 88 04 32 42 0F B6 04 26}
$a9 = {42 88 84 14 A0 01 00 00 49 83 C2 01 49 83 FA 07}
condition:
all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 9 string patterns in its detection logic.
Scenario: A system administrator is manually configuring a DNS server using named (BIND) for internal network testing.
Filter/Exclusion: Check for presence of named process and filter out DNS configurations that include named.conf or named.pid files.
Scenario: A scheduled job runs nslookup or dig to verify DNS resolution during system maintenance.
Filter/Exclusion: Exclude processes where the command line includes nslookup, dig, or host as part of a known maintenance script.
Scenario: A security tool like dnsmasq is used to provide DNS caching and filtering for internal users.
Filter/Exclusion: Filter out processes related to dnsmasq by checking the process name and excluding any DNS-related activity that matches known dnsmasq configuration patterns.
Scenario: An admin is using socat to set up a temporary DNS relay for network testing or debugging.
Filter/Exclusion: Exclude processes where the command line includes socat with DNS-related options such as UDP-LISTEN:53 or TCP-LISTEN:53.
Scenario: A CI/CD pipeline runs a DNS validation step using dnsprobe or dnschecker to verify DNS records.
Filter/Exclusion: Filter out DNS queries originating from CI/CD environments by checking the source IP or process owner against known CI/CD service accounts.