Trusted Design

MMD-0034-2015 - New ELF Linux/DES.Downloader

概要

Elasticsearch [link] has vulnerability which is now exploited in the wild, this post is one of the attack which aiming the CVE-2015-1427 [link], quoted: a vulnerability in Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted script. Elasticsearch's Groovy dynamic scripting disabled by default from v1.4.3 due to this vulnerability [link], which is a recommendable way to mitigate this on going attack. In this incident, the attacker is using the shell command to download and execute the malware shell script file, to collect sensitive information of the unix system hosted by Elasticsearch and send it to the remote host, parallel with download+install the ELF malware functioned as the botnet agent backdoor & downloader on the victim's host.It also audits the victim's system with Lynis [link] and send the result to the remote host too.

Created: 2026-02-23

Indicators

Indicatorsは見つかっていない。

類似Pulses

The Elastic Botnet (score: 0.67)
When ELF.BillGates met Windows (score: 0.59)
ElasticSearch Botnet - Botware Download URLs (score: 0.56)
Poor LinuxWebServer{ :;}; ShellSHOck Attempts BACK-CVE-2014-6271 (score: 0.55)
Probing for shell exploits uploaded using file/image uploaders. (score: 0.54)

このPulseに関連する脅威アクター (事実ベース)

Ember Bear

Score: 12.87

Matched TTPs:

T1578 - Modify Cloud Compute Infrastructure
T1564.013 - Bind Mounts
T1218.010 - Regsvr32
T1003.003 - NTDS

MITREへのリンク →

Silent Librarian

Score: 3.62

Matched TTPs:

T1578 - Modify Cloud Compute Infrastructure

MITREへのリンク →

Magic Hound

Score: 13.96

Matched TTPs:

T1578 - Modify Cloud Compute Infrastructure
T1564.013 - Bind Mounts
T1556.005 - Reversible Encryption
T1622 - Debugger Evasion
T1027.018 - Invisible Unicode
T1547.008 - LSASS Driver

MITREへのリンク →

Scattered Spider

Score: 8.10

Matched TTPs:

T1578 - Modify Cloud Compute Infrastructure
T1686.002 - Network Device Firewall
T1622 - Debugger Evasion

MITREへのリンク →

Sandworm Team

Score: 11.51

Matched TTPs:

T1686.003 - Windows Host Firewall
T1049 - System Network Connections Discovery
T1218.010 - Regsvr32
T1556.005 - Reversible Encryption
T1027.018 - Invisible Unicode

MITREへのリンク →

Volt Typhoon

Score: 11.95

Matched TTPs:

T1686.003 - Windows Host Firewall
T1049 - System Network Connections Discovery
T1686.002 - Network Device Firewall
T1622 - Debugger Evasion

MITREへのリンク →

Storm-0501

Score: 6.59

Matched TTPs:

T1686.003 - Windows Host Firewall
T1027.014 - Polymorphic Code

MITREへのリンク →

Lazarus Group

Score: 23.28

Matched TTPs:

T1558.005 - Ccache Files
T1069.001 - Local Groups
T1218.010 - Regsvr32
T1556.005 - Reversible Encryption
T1055.005 - Thread Local Storage
T1622 - Debugger Evasion
T1547.008 - LSASS Driver
T1216 - System Script Proxy Execution

MITREへのリンク →

RedCurl

Score: 6.68

Matched TTPs:

T1558.005 - Ccache Files
T1556.005 - Reversible Encryption
T1027.018 - Invisible Unicode

MITREへのリンク →

FIN13

Score: 6.46

Matched TTPs:

T1564.013 - Bind Mounts
T1556.005 - Reversible Encryption
T1622 - Debugger Evasion

MITREへのリンク →

UNC3886

Score: 7.95

Matched TTPs:

T1564.013 - Bind Mounts
T1686.002 - Network Device Firewall
T1218.010 - Regsvr32

MITREへのリンク →

APT29

Score: 22.84

Matched TTPs:

T1592.004 - Client Configurations
T1218.010 - Regsvr32
T1218.009 - Regsvcs/Regasm
T1546.018 - Python Startup Hooks
T1555.004 - Windows Credential Manager
T1027.018 - Invisible Unicode
T1547.008 - LSASS Driver

MITREへのリンク →

APT32

Score: 10.63

Matched TTPs:

T1592.004 - Client Configurations
T1027.014 - Polymorphic Code
T1218.010 - Regsvr32
T1556.005 - Reversible Encryption
T1027.018 - Invisible Unicode

MITREへのリンク →

BRONZE BUTLER

Score: 6.53

Matched TTPs:

T1592.004 - Client Configurations
T1218.010 - Regsvr32
T1556.005 - Reversible Encryption

MITREへのリンク →

HAFNIUM

Score: 4.81

Matched TTPs:

T1049 - System Network Connections Discovery
T1556.005 - Reversible Encryption

MITREへのリンク →

Axiom

Score: 11.30

Matched TTPs:

T1049 - System Network Connections Discovery
T1218.010 - Regsvr32
T1622 - Debugger Evasion
T1160 - Launch Daemon

MITREへのリンク →

Contagious Interview

Score: 15.10

Matched TTPs:

T1064 - Scripting
T1686.002 - Network Device Firewall
T1059.006 - Python
T1027.018 - Invisible Unicode
T1547.008 - LSASS Driver

MITREへのリンク →

Saint Bear

Score: 6.70

Matched TTPs:

T1064 - Scripting
T1218.010 - Regsvr32
T1027.018 - Invisible Unicode

MITREへのリンク →

Darkhotel

Score: 9.47

Matched TTPs:

T1064 - Scripting
T1564.002 - Hidden Users
T1218.010 - Regsvr32

MITREへのリンク →

FIN7

Score: 7.14

Matched TTPs:

T1564.002 - Hidden Users
T1622 - Debugger Evasion
T1027.018 - Invisible Unicode

MITREへのリンク →

Aquatic Panda

Score: 4.48

Matched TTPs:

T1686.002 - Network Device Firewall
T1622 - Debugger Evasion

MITREへのリンク →

TeamTNT

Score: 4.02

Matched TTPs:

T1686.002 - Network Device Firewall
T1556.005 - Reversible Encryption

MITREへのリンク →

Rocke

Score: 4.02

Matched TTPs:

T1686.002 - Network Device Firewall
T1556.005 - Reversible Encryption

MITREへのリンク →

APT41

Score: 7.16

Matched TTPs:

T1686.002 - Network Device Firewall
T1218.010 - Regsvr32
T1556.005 - Reversible Encryption
T1622 - Debugger Evasion

MITREへのリンク →

Sea Turtle

Score: 5.51

Matched TTPs:

T1686.002 - Network Device Firewall
T1218.010 - Regsvr32
T1556.005 - Reversible Encryption

MITREへのリンク →

TA551

Score: 3.93

Matched TTPs:

T1027.014 - Polymorphic Code
T1556.005 - Reversible Encryption

MITREへのリンク →

Cobalt Group

Score: 8.44

Matched TTPs:

T1027.014 - Polymorphic Code
T1218.010 - Regsvr32
T1556.005 - Reversible Encryption
T1622 - Debugger Evasion
T1027.018 - Invisible Unicode

MITREへのリンク →

Blue Mockingbird

Score: 4.39

Matched TTPs:

T1027.014 - Polymorphic Code
T1622 - Debugger Evasion

MITREへのリンク →

Leviathan

Score: 10.40

Matched TTPs:

T1027.014 - Polymorphic Code
T1218.010 - Regsvr32
T1622 - Debugger Evasion
T1027.018 - Invisible Unicode
T1546.017 - Udev Rules

MITREへのリンク →

Kimsuky

Score: 11.07

Matched TTPs:

T1027.014 - Polymorphic Code
T1556.005 - Reversible Encryption
T1622 - Debugger Evasion
T1027.018 - Invisible Unicode
T1003.003 - NTDS

MITREへのリンク →

Inception

Score: 5.43

Matched TTPs:

T1027.014 - Polymorphic Code
T1218.010 - Regsvr32
T1556.005 - Reversible Encryption

MITREへのリンク →

WIRTE

Score: 3.93

Matched TTPs:

T1027.014 - Polymorphic Code
T1556.005 - Reversible Encryption

MITREへのリンク →

APT19

Score: 3.93

Matched TTPs:

T1027.014 - Polymorphic Code
T1556.005 - Reversible Encryption

MITREへのリンク →

Sidewinder

Score: 4.04

Matched TTPs:

T1218.010 - Regsvr32
T1556.005 - Reversible Encryption
T1027.018 - Invisible Unicode

MITREへのリンク →

APT28

Score: 4.04

Matched TTPs:

T1218.010 - Regsvr32
T1556.005 - Reversible Encryption
T1027.018 - Invisible Unicode

MITREへのリンク →

Threat Group-3390

Score: 5.83

Matched TTPs:

T1218.010 - Regsvr32
T1556.005 - Reversible Encryption
T1546.017 - Udev Rules

MITREへのリンク →

Dragonfly

Score: 3.14

Matched TTPs:

T1218.010 - Regsvr32
T1622 - Debugger Evasion

MITREへのリンク →

EXOTIC LILY

Score: 5.38

Matched TTPs:

T1218.010 - Regsvr32
T1027.018 - Invisible Unicode
T1547.008 - LSASS Driver

MITREへのリンク →

Confucius

Score: 4.04

Matched TTPs:

T1218.010 - Regsvr32
T1556.005 - Reversible Encryption
T1027.018 - Invisible Unicode

MITREへのリンク →

Patchwork

Score: 4.50

Matched TTPs:

T1218.010 - Regsvr32
T1622 - Debugger Evasion
T1027.018 - Invisible Unicode

MITREへのリンク →

Higaisa

Score: 5.83

Matched TTPs:

T1218.010 - Regsvr32
T1556.005 - Reversible Encryption
T1546.017 - Udev Rules

MITREへのリンク →

APT37

Score: 6.30

Matched TTPs:

T1218.010 - Regsvr32
T1556.005 - Reversible Encryption
T1216 - System Script Proxy Execution

MITREへのリンク →

Mustang Panda

Score: 8.17

Matched TTPs:

T1218.010 - Regsvr32
T1556.005 - Reversible Encryption
T1055.005 - Thread Local Storage
T1027.018 - Invisible Unicode

MITREへのリンク →

APT3

Score: 4.50

Matched TTPs:

T1218.010 - Regsvr32
T1622 - Debugger Evasion
T1027.018 - Invisible Unicode

MITREへのリンク →

OilRig

Score: 8.21

Matched TTPs:

T1218.010 - Regsvr32
T1556.005 - Reversible Encryption
T1622 - Debugger Evasion
T1027.018 - Invisible Unicode
T1547.008 - LSASS Driver

MITREへのリンク →

APT33

Score: 4.04

Matched TTPs:

T1218.010 - Regsvr32
T1556.005 - Reversible Encryption
T1027.018 - Invisible Unicode

MITREへのリンク →

MuddyWater

Score: 4.04

Matched TTPs:

T1218.010 - Regsvr32
T1556.005 - Reversible Encryption
T1027.018 - Invisible Unicode

MITREへのリンク →

Moonstone Sleet

Score: 3.71

Matched TTPs:

T1556.005 - Reversible Encryption
T1547.008 - LSASS Driver

MITREへのリンク →

Dark Caracal

Score: 3.71

Matched TTPs:

T1556.005 - Reversible Encryption
T1547.008 - LSASS Driver

MITREへのリンク →

Medusa Group

Score: 6.46

Matched TTPs:

T1556.005 - Reversible Encryption
T1622 - Debugger Evasion
T1216 - System Script Proxy Execution

MITREへのリンク →

APT38

Score: 6.17

Matched TTPs:

T1556.005 - Reversible Encryption
T1027.018 - Invisible Unicode
T1216 - System Script Proxy Execution

MITREへのリンク →

Wizard Spider

Score: 4.20

Matched TTPs:

T1556.005 - Reversible Encryption
T1622 - Debugger Evasion
T1027.018 - Invisible Unicode

MITREへのリンク →

FIN8

Score: 4.20

Matched TTPs:

T1556.005 - Reversible Encryption
T1622 - Debugger Evasion
T1027.018 - Invisible Unicode

MITREへのリンク →

Windshift

Score: 5.07

Matched TTPs:

T1556.005 - Reversible Encryption
T1027.018 - Invisible Unicode
T1547.008 - LSASS Driver

MITREへのリンク →

Gamaredon Group

Score: 5.70

Matched TTPs:

T1556.005 - Reversible Encryption
T1027.018 - Invisible Unicode
T1546.017 - Udev Rules

MITREへのリンク →

APT39

Score: 4.20

Matched TTPs:

T1556.005 - Reversible Encryption
T1622 - Debugger Evasion
T1027.018 - Invisible Unicode

MITREへのリンク →

Equation

Score: 4.13

Matched TTPs:

T1130 - Install Root Certificate

MITREへのリンク →

Strider

Score: 4.13

Matched TTPs:

T1130 - Install Root Certificate

MITREへのリンク →

Mustard Tempest

Score: 5.90

Matched TTPs:

T1543.002 - Systemd Service
T1027.018 - Invisible Unicode

MITREへのリンク →

FIN6

Score: 4.17

Matched TTPs:

T1622 - Debugger Evasion
T1547.008 - LSASS Driver

MITREへのリンク →

Molerats

Score: 4.51

Matched TTPs:

T1027.018 - Invisible Unicode
T1546.017 - Udev Rules

MITREへのリンク →

TA2541

Score: 4.51

Matched TTPs:

T1027.018 - Invisible Unicode
T1546.017 - Udev Rules

MITREへのリンク →

Mofang

Score: 4.51

Matched TTPs:

T1027.018 - Invisible Unicode
T1546.017 - Udev Rules

MITREへのリンク →

このPulseに関連する脅威アクター (推論ベース)

APT29

Score: 0.77

Matched TTPs:

T1592.004 - Client Configurations
T1547.008 - LSASS Driver
T1546.018 - Python Startup Hooks
T1555.004 - Windows Credential Manager
T1027.018 - Invisible Unicode
T1218.009 - Regsvcs/Regasm
T1218.010 - Regsvr32

MITREへのリンク →

Lazarus Group

Score: 0.75

Matched TTPs:

T1547.008 - LSASS Driver
T1622 - Debugger Evasion
T1216 - System Script Proxy Execution
T1069.001 - Local Groups
T1558.005 - Ccache Files
T1055.005 - Thread Local Storage
T1556.005 - Reversible Encryption
T1218.010 - Regsvr32

MITREへのリンク →

Related CVEs

Pulse – 脅威アクターグラフ

← Pulse一覧に戻る