Examining linux memory dump with signs of compromise in yarascan
I have captured a memory dump of recent Ubuntu 22.04 kernel 6.2.0-39-generic.
captured image with LiMe and analyzed with volatility3.
did a yarascan against all known rules and found a suspicious amount of matches for spyeye.
Here is the output
Now I'm checking these results against a clean install of Ubuntu 22.04 with the same kernel on a different system not connected to any networks. To ensure these aren't false positives. However there are too many matches here for spyeye strain for it to be false positives. I also have good reason to believe that computer is being monitored.
So to some of the more senior security guys, how can i go about examining this further aside from cross-checking memory addresses with processes, and what's the next step here?
Any practical advice would be appreciated.
EDIT: I cross-referenced the results with a fresh installation of an ubuntu workstation and found that the spyeye rule matches were largely false positives. Many of the same hits exist on a fresh install of the system. I compiled a list of matches which did not appear on the fresh machine. Most of these PIDs are Chrome.
0x7f3826c9d306 6819 WarpStrings $ 77 79 6c 65
0x7f38270ef063 6819 Cerberus $generic 43 65 72 62 65 72 75 73
0x7f38272d70e3 6819 Cerberus $generic 43 65 72 62 65 72 75 73
0x7f321c49558f 6866 memory_shylock $b 69 64 3d 44 31 38 46 33 46 35 38 38 32 34 45 44 44 37 42 35 39 36 31 34 44 46 37 41 45 33 39 41 42 39 37
0x559888d1b663 7027 spyeye $d 64 61 74 61 5f 62 65 66 6f 72 65
0x559888d1b663 7118 spyeye $d 64 61 74 61 5f 62 65 66 6f 72 65
0x7fa7712e1440 7409 Cerberus $generic 43 45 52 42 45 52 55 53
0x7fa7712e1451 7409 Cerberus $generic 43 65 72 62 65 72 75 73
0x7fa77156fd80 7409 Cerberus $generic 43 45 52 42 45 52 55 53
0x7fa77156fd94 7409 Cerberus $generic 43 65 72 62 65 72 75 73
0x7fa7719f162a 7409 Cerberus $generic 43 65 72 62 65 72 75 73
0x18b06802b80 12841 Cerberus $generic 63 65 72 62 65 72 75 73
0x18b069950ac 12841 ScarhiknStrings $ 68 61 68 61 31 32 33
0xac40555614b 12841 memory_shylock $b 69 64 3d 44 31 38 46 33 46 35 38 38 32 34 45 44 44 37 42 35 39 36 31 34 44 46 37 41 45 33 39 41 42 39 37
0xac405556f4b 12841 memory_shylock $b 69 64 3d 44 31 38 46 33 46 35 38 38 32 34 45 44 44 37 42 35 39 36 31 34 44 46 37 41 45 33 39 41 42 39 37
0xac405558b4b 12841 memory_shylock $b 69 64 3d 44 31 38 46 33 46 35 38 38 32 34 45 44 44 37 42 35 39 36 31 34 44 46 37 41 45 33 39 41 42 39 37
0xac406ef8f48 12841 xtreme_rat $signature1 58 00 54 00 52 00 45 00 4d 00 45
0xac407101f4e 12841 xtreme_rat $signature1 58 00 54 00 52 00 45 00 4d 00 45
0x7f6e0929a58f 12841 memory_shylock $b 69 64 3d 44 31 38 46 33 46 35 38 38 32 34 45 44 44 37 42 35 39 36 31 34 44 46 37 41 45 33 39 41 42 39 37
0x559888d1b663 12841 spyeye $d 64 61 74 61 5f 62 65 66 6f 72 65
0x559888d1b663 8502 spyeye $d 64 61 74 61 5f 62 65 66 6f 72 65
0x559888d1b663 12918 spyeye $d 64 61 74 61 5f 62 65 66 6f 72 65
0x559888d1b663 13359 spyeye $d 64 61 74 61 5f 62 65 66 6f 72 65
0x559888d1b663 14337 spyeye $d 64 61 74 61 5f 62 65 66 6f 72 65