Trusted Design

When ELF.BillGates met Windows

概要

The “Elf.BillGates” version targets Linux operating system. We have followed the activities of this botnet for several months and during our investigations we found some versions of a Windows fork of the malware. This article attempts to detail this variant. The primary infection vector is the exploit of the vulnerability CVE-2014-6332[3], which drops the binary file hosted on an HTTPd File Server (HFS)[4]. This vulnerability allows an attacker to escape the Internet Explorer sandbox with a VBScript script and execute an arbitrary binary file downloaded from the Internet.

Created: 2026-02-23

Indicators

• YARA - 775815d848783a1f888a0c54bc17b28ebc662a24 -
• YARA - 6dc6040bd9cdcdda27ee51530726c8d13baafece -
• FileHash-MD5 - f864867f277330f81669a7c90fb6a3f4 -
• FileHash-MD5 - fb7e7b5c35bb5311acc8139350344878 -
• YARA - 2a0821f1b4cdc00f9e8d13c5ff0e0f0e64f5bc28 -
• FileHash-MD5 - 51f00e56b4ef21e6b7d6685ca3fbad1a -
• YARA - 5b69639aaede7663807b92347759f4c8aa801f21 -
• FileHash-MD5 - 8e9e4da1272f0b637917201443fcbd0a -
• YARA - dc0814e247edd0e91a6c1325cad7055704403e6c -
• FileHash-MD5 - c32f27eaadda31c36e32e97c481771c9 -
• FileHash-SHA256 - 4d7d9a80973b61f5fecdfdcd2e050ed9bc9541ad82ff68c864d851632ca16a77 -
• hostname - mou521.f3322.org -
• FileHash-MD5 - 4b14d7aca890642c3e269b75953e65cb -
• YARA - 477e80afe6fefc45573c5391a22e21717e9fa3c0 -
• hostname - say.f322.net -
• CVE - CVE-2014-6332 -

類似Pulses

• Linux/PnScan ; ELF worm (score: 0.67)
• Aggressive Malware Pushers: Prolific Cyber Surfers Beware (score: 0.65)
• WARP (FAMILY) (score: 0.65)
• Worm:Win32/Folstart (score: 0.63)
• Bloodhound malware on Metadefender.com (score: 0.63)

このPulseに関連する脅威アクター (事実ベース)

このPulseに関連する脅威アクター (推論ベース)

Related CVEs

Pulse – 脅威アクター グラフ

---

← Pulse一覧に戻る