The hypothesis is that the detection identifies potential Sofacy Fysbis Linux backdoor activity associated with the Naikon APT, leveraging suspicious file behavior indicative of adversarial persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threat (APT) activity early in the attack lifecycle.
YARA Rule
rule Sofacy_Fybis_ELF_Backdoor_Gen1
{
meta:
description = "Detects Sofacy Fysbis Linux Backdoor_Naikon_APT_Sample1"
author = "Florian Roth"
reference = "http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/"
date = "2016-02-13"
score = 80
hash1 = "02c7cf55fd5c5809ce2dce56085ba43795f2480423a4256537bfdfda0df85592"
hash2 = "8bca0031f3b691421cb15f9c6e71ce193355d2d8cf2b190438b6962761d0c6bb"
strings:
$x1 = "Your command not writed to pipe" fullword ascii
$x2 = "Terminal don`t started for executing command" fullword ascii
$x3 = "Command will have end with \\n" fullword ascii
$s1 = "WantedBy=multi-user.target' >> /usr/lib/systemd/system/" fullword ascii
$s2 = "Success execute command or long for waiting executing your command" fullword ascii
$s3 = "ls /etc | egrep -e\"fedora*|debian*|gentoo*|mandriva*|mandrake*|meego*|redhat*|lsb-*|sun-*|SUSE*|release\"" fullword ascii
$s4 = "rm -f /usr/lib/systemd/system/" fullword ascii
$s5 = "ExecStart=" fullword ascii
$s6 = "<table><caption><font size=4 color=red>TABLE EXECUTE FILES</font></caption>" fullword ascii
condition:
( uint16(0) == 0x457f and filesize < 500KB and 1 of ($x*) ) or ( 1 of ($x*) and 3 of ($s*) )
}This YARA rule can be deployed in the following contexts:
This rule contains 9 string patterns in its detection logic.
Scenario: A system administrator is using scp to securely copy configuration files between servers as part of routine maintenance.
Filter/Exclusion: Check for scp commands with known administrative IP ranges or user IDs (e.g., root, admin) and exclude traffic between internal servers.
Scenario: A scheduled job runs cron to execute a legitimate backup script that includes a wget command to download a trusted update from an internal repository.
Filter/Exclusion: Exclude wget commands originating from cron jobs and targeting internal IP addresses or known internal repositories.
Scenario: A developer is using git to push code to a remote repository, which includes a git push command that matches the detection logic due to similar string patterns.
Filter/Exclusion: Exclude git commands executed from known developer workstations or repositories, and filter based on command-line arguments like --set-upstream.
Scenario: A system update process uses yum or apt to install a package that contains a string matching the backdoor signature due to a shared library or dependency.
Filter/Exclusion: Exclude package installation events from known update repositories and filter by package names or checksums.
Scenario: A security tool like ClamAV or Sophos is performing a scan and generates a false positive due to a signature overlap with the backdoor’s binary.
Filter/Exclusion: Exclude events related to known antivirus or endpoint protection tools, and filter based on process names or parent process chains.