Analytics Story: AcidRain

Date: 2022-04-12 ID: c68717c6-4938-434b-987c-e1ce9d516124 Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to the acidrain malware including deleting of files and etc. AcidRain is an ELF MIPS malware specifically designed to wipe modems and routers. The complete list of targeted devices is unknown at this time, but WatchGuard FireBox has specifically been listed as a target. This malware is capable of wiping and deleting non-standard linux files and overwriting storage device files that might related to router, ssd card and many more.

Why it matters

Adversaries may use this technique to maximize the impact on the target organization in operations where network wide availability interruption is the goal.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Linux Account Manipulation Of SSH Config and Keys File Deletion, Data Destruction Anomaly
Linux Deletion Of Cron Jobs File Deletion, Data Destruction Anomaly
Linux Deletion Of Init Daemon Script File Deletion, Data Destruction TTP
Linux Deletion Of Services File Deletion, Data Destruction TTP
Linux Deletion of SSL Certificate File Deletion, Data Destruction Anomaly
Linux High Frequency Of File Deletion In Etc Folder File Deletion, Data Destruction Anomaly

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
Sysmon for Linux EventID 11 Linux icon Linux sysmon:linux Syslog:Linux-Sysmon/Operational

References

Source: GitHub | Version: 1