Breaking Down Linux.Gomir: Understanding this Backdoor’s TTPs

    Monday, July 29, 2024 In: Threat Research Print

    Date: 07/16/2024

    Severity: Medium

    Summary

    Linux.Gomir creates a unique beacon ID for the compromised host, derived from the first 10 characters of the MD5 hash of the username and hostname. This ID is sent to the Command and Control (C2) server for tracking. It's essential for attackers to identify and manage infected machines.

    Indicators of Compromise (IOC) List

    Hash

    30584f13c0a9d0c86562c803de350432d5a0607a06b24481ad4d92cdf7288213

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Hash

    sha256hash IN (“30584f13c0a9d0c86562c803de350432d5a0607a06b24481ad4d92cdf7288213”)

     

    Reference:

    https://www.splunk.com/en_us/blog/security/breaking-down-linux-gomir-understanding-this-backdoors-ttps.html

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.