Derusbi Server Linux version

Hunt Hypothesis

The Derusbi Server Linux version detection rule identifies potential adversary activity involving the Derusbi server, a known malware platform, by monitoring for its Linux-based infrastructure. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate early-stage compromise by threat actors leveraging this tool for command and control operations.

YARA Rule

rule derusbi_linux
{

    meta:
        description = "Derusbi Server Linux version"
        date = "2015-12-09"
        author = "Airbus Defence and Space Cybersecurity CSIRT - Fabien Perigaud"

    strings:
        $PS1 = "PS1=RK# \\u@\\h:\\w \\$"
        $cmd = "unset LS_OPTIONS;uname -a"
        $pname = "[diskio]"
        $rkfile = "/tmp/.secure"
        $ELF = "\x7fELF"

    condition:
        $ELF at 0 and $PS1 and $cmd and $pname and $rkfile
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 5 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: System update using yum or apt
  Description: A legitimate system update process may trigger the rule due to the presence of the derusbi keyword in log files or package metadata.
  Filter/Exclusion: Check for process.name in yum or apt and exclude events where process.name contains yum or apt.

• Scenario: Admin task using rsync to transfer files
  Description: An administrator might use rsync to transfer files between servers, and the word “derusbi” could appear in log entries or filenames.
  Filter/Exclusion: Filter by process.name equal to rsync and exclude events where process.name is rsync.

• Scenario: Scheduled job using cron to run a script
  Description: A scheduled job (e.g., via cron) may include a script or command that contains the term “derusbi” in its content or log output.
  Filter/Exclusion: Check for process.name in cron and exclude events where process.name is cron or crond.

• Scenario: Log analysis tool like logwatch or splunk processing logs
  Description: Log analysis tools may process logs containing the term “derusbi” as part of their normal operation.
  Filter/Exclusion: Filter by process.name in logwatch, splunk, or syslog-ng and exclude events where process.name matches these tools.

• Scenario: Security tool like OSSEC or Tripwire generating alerts
  Description: Security tools may generate alerts that include the term “derusbi” as part of their alert message or rule matching.
  Filter/Exclusion: Check for `process.name