Try in Splunk Security Cloud

Description

This analytic story includes detections that help security analysts identify and investigate unusual activities associated with the Gomir backdoor malware. Gomir is a sophisticated cyber threat that gains unauthorized access to systems. It communicates with a remote command-and-control (C2) server to execute malicious commands, steal sensitive data, and facilitate further attacks, often evading traditional security measures.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2024-05-29
  • Author: Teoderick Contreras, Splunk
  • ID: 02dbfda2-45fe-4731-a659-91fa871019ba

Narrative

The Gomir backdoor malware is a piece of cyber threat designed to infiltrate and compromise systems covertly. Once it gains unauthorized access, Gomir establishes a persistent presence by communicating with a remote command-and-control (C2) server. This connection allows the attacker to execute a wide range of malicious commands on the infected system. Gomir is capable of stealing sensitive data, which can be exfiltrated back to the attacker. Additionally, Gomir can download and install further malicious payloads, facilitating broader cyber-espionage or destructive activities.

Detections

Name Technique Type
Linux Adding Crontab Using List Parameter Cron, Scheduled Task/Job Hunting
Linux Service File Created In Systemd Directory Systemd Timers, Scheduled Task/Job Anomaly
Linux Service Restarted Systemd Timers, Scheduled Task/Job Anomaly
Linux Service Started Or Enabled Systemd Timers, Scheduled Task/Job Anomaly

Reference

source | version: 1