ET SCAN ELF/Mirai Variant

MalPRE · December 29, 2024, 8:09am

We have recently detected a new wave of attacks using Mirai variants, and here are two notable rules:

alert udp any any -> any any (msg:"ET SCAN ELF/Mirai Variant UDP (Inbound)"; content:"|38 C4 FB 98 76 1F FC FE F4 00 00 00 01 63 31 7B 62 36 3E B1 A8 93 A8 61 98 8B 11 2A 3F 7C 1E AA BF C0 63 AD B7 50 68 A0 D6 2D 0E 17 3D F8 D4 F4 39 69 8D 69 0D 7D|"; sid:1000001; rev:1;)

alert udp any any -> any any (msg:"ET SCAN ELF/Mirai Variant UDP (Inbound)"; content:"|A5 E4 43 C7 00 3F 10 16 01 12 2F F8 3C E1 D0 5D 49 2A 43 A4 25 77 00 00 00 F2 60 25 D8 FF FF FF FF F4 6D 89 0B DC 36 47 F7 3A A5 38 8D|"; sid:1000002; rev:1;)

Reference URL: In-depth Analysis of a New Mirai Variant - RrUZi / Malware Protocol Reverse Engineering Analyst

rgonzalez · December 31, 2024, 5:33pm

These are in for QA today, thank you!

rgonzalez · December 31, 2024, 10:00pm

Thanks @MalPRE !

2058707 - ET SCAN ELF/Mirai Variant UDP (Inbound) M1 (scan.rules)
2058708 - ET SCAN ELF/Mirai Variant UDP (Inbound) M2 (scan.rules)

Topic		Replies	Views
Ruleset Update Summary - 2024/12/31 - v10820 Ruleset Updates	0	57	December 31, 2024
Ruleset Update Summary - 2024/12/05 - v10789 Ruleset Updates	0	52	December 5, 2024
SIG: ET TROJAN Atomic macOS (AMOS) Stealer JoinSystem Rule Signatures	3	205	May 15, 2024
Ruleset Update Summary - 2023/11/29 - v10475 Ruleset Updates	0	328	November 29, 2023
ET MALWARE Gamaredon.APT TryCloudFlare Activity Rule Signatures	2	91	January 7, 2025

ET SCAN ELF/Mirai Variant

Related topics