The hypothesis is that the detection identifies potential Sofacy Fysbis Linux backdoor activity, which is a critical indicator of a sophisticated adversary establishing persistent, stealthy control over a Linux host. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats before they exfiltrate data or escalate within the network.
YARA Rule
rule Sofacy_Fysbis_ELF_Backdoor_Gen2
{
meta:
description = "Detects Sofacy Fysbis Linux Backdoor"
author = "Florian Roth"
reference = "http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/"
date = "2016-02-13"
score = 80
hash1 = "02c7cf55fd5c5809ce2dce56085ba43795f2480423a4256537bfdfda0df85592"
hash2 = "8bca0031f3b691421cb15f9c6e71ce193355d2d8cf2b190438b6962761d0c6bb"
hash3 = "fd8b2ea9a2e8a67e4cb3904b49c789d57ed9b1ce5bebfe54fe3d98214d6a0f61"
strings:
$s1 = "RemoteShell" ascii
$s2 = "basic_string::_M_replace_dispatch" fullword ascii
$s3 = "HttpChannel" ascii
condition:
uint16(0) == 0x457f and filesize < 500KB and all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 3 string patterns in its detection logic.
Scenario: System Maintenance Script Execution
Description: A legitimate system maintenance script (e.g., systemd-tmpfiles-setup, logrotate) is executed, which may contain similar command patterns to the backdoor.
Filter/Exclusion: Check the command line arguments and process tree to ensure the script is part of known system maintenance tools. Use a filter like:
process.parent_process_name != "systemd" || process.command_line contains "logrotate" || process.command_line contains "tmpfiles-setup"Scenario: Scheduled Job for Log Rotation
Description: A scheduled job (e.g., via cron or systemd-timer) runs logrotate or similar tools, which may trigger the rule due to command similarity.
Filter/Exclusion: Filter by user or process name:
process.user == "root" && process.name == "logrotate" || process.name == "systemd-tmpfiles-setup"Scenario: Admin Task for User Management
Description: An admin task like useradd, usermod, or passwd is executed, which may have command-line similarities to the backdoor.
Filter/Exclusion: Filter by command name and user context:
process.name == "useradd" || process.name == "usermod" || process.name == "passwd" || process.user == "root"Scenario: Package Installation via APT
Description: A legitimate package installation (e.g., apt-get install) may trigger the rule due to command-line similarity.
Filter/Exclusion: Filter by command name and package name:
process.name == "apt" || process.name == "apt-get" && process.command_line contains "