Try in Splunk Security Cloud

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to the acidrain malware including deleting of files and etc. AcidRain is an ELF MIPS malware specifically designed to wipe modems and routers. The complete list of targeted devices is unknown at this time, but WatchGuard FireBox has specifically been listed as a target. This malware is capable of wiping and deleting non-standard linux files and overwriting storage device files that might related to router, ssd card and many more.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2022-04-12
  • Author: Teoderick Contreras, Splunk
  • ID: c68717c6-4938-434b-987c-e1ce9d516124

Narrative

Adversaries may use this technique to maximize the impact on the target organization in operations where network wide availability interruption is the goal.

Detections

Name Technique Type
Linux Account Manipulation Of SSH Config and Keys Data Destruction, File Deletion, Indicator Removal Anomaly
Linux Deletion Of Cron Jobs Data Destruction, File Deletion, Indicator Removal Anomaly
Linux Deletion Of Init Daemon Script Data Destruction, File Deletion, Indicator Removal TTP
Linux Deletion Of Services Data Destruction, File Deletion, Indicator Removal TTP
Linux Deletion of SSL Certificate Data Destruction, File Deletion, Indicator Removal Anomaly
Linux High Frequency Of File Deletion In Etc Folder Data Destruction, File Deletion, Indicator Removal Anomaly

Reference

source | version: 1