Concrete signature match: Backdoor - Provides unauthorized remote access for Linux platform, family Mirai
Backdoor:Linux/Mirai is a notorious malware that infects Linux-based systems, particularly IoT devices, by exploiting weak or default credentials. Once infected, the device is enlisted into a botnet controlled by a remote attacker. This botnet is then used to launch large-scale Distributed Denial-of-Service (DDoS) attacks.
No specific strings found for this threat
rule Backdoor_Linux_Mirai_B_2147721642_0
{
meta:
author = "threatcheck.sh"
detection_name = "Backdoor:Linux/Mirai.B"
threat_id = "2147721642"
type = "Backdoor"
platform = "Linux: Linux platform"
family = "Mirai"
severity = "Critical"
signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
threshold = "7"
strings_accuracy = "High"
strings:
$x_1_1 = "nmnlmevdm" ascii //weight: 1
$x_1_2 = "XMNNCPF" ascii //weight: 1
$x_1_3 = "egvnmacnkr" ascii //weight: 1
$x_1_4 = "GLC@NG" ascii //weight: 1
$x_1_5 = "Q[QVGO" ascii //weight: 1
$x_1_6 = "LAMPPGAV" ascii //weight: 1
$x_1_7 = "AJWLIGF" ascii //weight: 1
$n_1_8 = "GET /shell?cat%%20/etc/passwd" ascii //weight: -1
$n_1_9 = "GET /system.ini?loginuse&loginpas" ascii //weight: -1
condition:
(filesize < 20MB) and
(not (any of ($n*))) and
(all of ($x*))
}f736621581514cb64157ddeeeecb61f0581c090ea8546dd250955dc6fab15b03Immediately isolate the affected system from the network to prevent communication with its command-and-control server. Ensure the detected file has been removed, and change all default or weak passwords on network devices, especially IoT and Linux systems. Scan the network for other compromised devices.