Backdoor:Linux/Mirai - Windows Defender Threat Analysis

Backdoor:Linux/Mirai is a notorious malware that infects Linux-based systems, particularly IoT devices, by exploiting weak or default credentials. Once infected, the device is enlisted into a botnet controlled by a remote attacker. This botnet is then used to launch large-scale Distributed Denial-of-Service (DDoS) attacks.

No specific strings found for this threat

rule Backdoor_Linux_Mirai_B_2147721642_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Backdoor:Linux/Mirai.B"
        threat_id = "2147721642"
        type = "Backdoor"
        platform = "Linux: Linux platform"
        family = "Mirai"
        severity = "Critical"
        signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
        threshold = "7"
        strings_accuracy = "High"
    strings:
        $x_1_1 = "nmnlmevdm" ascii //weight: 1
        $x_1_2 = "XMNNCPF" ascii //weight: 1
        $x_1_3 = "egvnmacnkr" ascii //weight: 1
        $x_1_4 = "GLC@NG" ascii //weight: 1
        $x_1_5 = "Q[QVGO" ascii //weight: 1
        $x_1_6 = "LAMPPGAV" ascii //weight: 1
        $x_1_7 = "AJWLIGF" ascii //weight: 1
        $n_1_8 = "GET /shell?cat%%20/etc/passwd" ascii //weight: -1
        $n_1_9 = "GET /system.ini?loginuse&loginpas" ascii //weight: -1
    condition:
        (filesize < 20MB) and
        (not (any of ($n*))) and
        (all of ($x*))
}

Immediately isolate the affected system from the network to prevent communication with its command-and-control server. Ensure the detected file has been removed, and change all default or weak passwords on network devices, especially IoT and Linux systems. Scan the network for other compromised devices.