Analytics Story: Gomir

Date: 2024-05-29 ID: 02dbfda2-45fe-4731-a659-91fa871019ba Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

This analytic story includes detections that help security analysts identify and investigate unusual activities associated with the Gomir backdoor malware. Gomir is a sophisticated cyber threat that gains unauthorized access to systems. It communicates with a remote command-and-control (C2) server to execute malicious commands, steal sensitive data, and facilitate further attacks, often evading traditional security measures.

Why it matters

The Gomir backdoor malware is a piece of cyber threat designed to infiltrate and compromise systems covertly. Once it gains unauthorized access, Gomir establishes a persistent presence by communicating with a remote command-and-control (C2) server. This connection allows the attacker to execute a wide range of malicious commands on the infected system. Gomir is capable of stealing sensitive data, which can be exfiltrated back to the attacker. Additionally, Gomir can download and install further malicious payloads, facilitating broader cyber-espionage or destructive activities.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Linux Adding Crontab Using List Parameter Cron, Scheduled Task/Job Hunting
Linux Auditd Service Restarted Systemd Timers, Scheduled Task/Job Anomaly
Linux Service File Created In Systemd Directory Systemd Timers, Scheduled Task/Job Anomaly
Linux Service Restarted Systemd Timers, Scheduled Task/Job Anomaly
Linux Service Started Or Enabled Systemd Timers, Scheduled Task/Job Anomaly

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
Linux Auditd Proctitle Linux icon Linux linux:audit /var/log/audit/audit.log
Sysmon for Linux EventID 1 Linux icon Linux sysmon:linux Syslog:Linux-Sysmon/Operational
Sysmon for Linux EventID 11 Linux icon Linux sysmon:linux Syslog:Linux-Sysmon/Operational

References

Source: GitHub | Version: 1