Analytics Story: AcidRain

Date: 2022-04-12 ID: c68717c6-4938-434b-987c-e1ce9d516124 Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to the acidrain malware including deleting of files and etc. AcidRain is an ELF MIPS malware specifically designed to wipe modems and routers. The complete list of targeted devices is unknown at this time, but WatchGuard FireBox has specifically been listed as a target. This malware is capable of wiping and deleting non-standard linux files and overwriting storage device files that might related to router, ssd card and many more.

Why it matters

Adversaries may use this technique to maximize the impact on the target organization in operations where network wide availability interruption is the goal.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Linux Account Manipulation Of SSH Config and Keys Data Destruction, File Deletion, Indicator Removal Anomaly
Linux Deletion Of Cron Jobs Data Destruction, File Deletion, Indicator Removal Anomaly
Linux Deletion Of Init Daemon Script Data Destruction, File Deletion, Indicator Removal TTP
Linux Deletion Of Services Data Destruction, File Deletion, Indicator Removal TTP
Linux Deletion of SSL Certificate Data Destruction, File Deletion, Indicator Removal Anomaly
Linux High Frequency Of File Deletion In Etc Folder Data Destruction, File Deletion, Indicator Removal Anomaly

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
Sysmon for Linux EventID 11 Linux icon Linux sysmon:linux Syslog:Linux-Sysmon/Operational

References

Source: GitHub | Version: 1