Detects the password of the backdoored DropBear SSH Server - BlackEnergy

Hunt Hypothesis

The hypothesis is that an adversary may be using a compromised DropBear SSH server with a known backdoor password to maintain persistent access within a network. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential long-term persistence mechanisms and mitigate the risk of unauthorized access.

YARA Rule

rule BlackEnergy_BackdoorPass_DropBear_SSH 
{
    
    meta:
        description = "Detects the password of the backdoored DropBear SSH Server - BlackEnergy"
        author = "Florian Roth"
        reference = "http://feedproxy.google.com/~r/eset/blog/~3/BXJbnGSvEFc/"
        date = "2016-01-03"
        hash = "0969daac4adc84ab7b50d4f9ffb16c4e1a07c6dbfc968bd6649497c794a161cd"
    
    strings:
        $s1 = "passDs5Bu9Te7" fullword ascii
    
    condition:
        uint16(0) == 0x5a4d and $s1
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 1 string patterns in its detection logic.

References

• http://feedproxy.google.com/~r/eset/blog/~3/BXJbnGSvEFc/
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Backup Using DropBear SSH
  Description: A legitimate scheduled backup job uses DropBear SSH to transfer backup files to a remote server.
  Filter/Exclusion: process.name != "dropbear" OR process.parent.name != "crontab" OR process.parent.name != "systemd"

• Scenario: Admin Task to Test SSH Connectivity
  Description: An administrator manually tests SSH connectivity using DropBear to verify server availability.
  Filter/Exclusion: process.user != "root" OR process.command_line NOT LIKE '%-p 22%'

• Scenario: Remote Management via DropBear for Patching
  Description: IT staff uses DropBear SSH to remotely apply system patches or updates to a server.
  Filter/Exclusion: process.name != "dropbear" OR process.parent.name != "ssh" OR process.parent.name != "systemd"

• Scenario: Internal Monitoring Tool Using DropBear SSH
  Description: A monitoring tool like Nagios or Zabbix uses DropBear SSH to check server status or collect metrics.
  Filter/Exclusion: process.name != "dropbear" OR process.parent.name != "nagios" OR process.parent.name != "zabbix"

• Scenario: Legacy Application Using DropBear for Secure Communication
  Description: A legacy internal application uses DropBear SSH to securely communicate with another internal service.
  Filter/Exclusion: process.name != "dropbear" OR process.parent.name != "legacy_app" OR process.parent.name != "custom_service"