Backdoor:Linux/Mirai.AJ!xp - Windows Defender Threat Analysis

This is a concrete detection of a Linux-based backdoor belonging to the Mirai botnet family, variant AJ. The malware is designed to infect Linux IoT/embedded devices, establishing persistence and control through actions like changing file permissions (`chmod 777`) and manipulating system files, likely to enroll the device into a botnet for DDoS attacks or other malicious activities.

No specific strings found for this threat

rule Backdoor_Linux_Mirai_AJ_2147816822_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Backdoor:Linux/Mirai.AJ!xp"
        threat_id = "2147816822"
        type = "Backdoor"
        platform = "Linux: Linux platform"
        family = "Mirai"
        severity = "Critical"
        info = "xp: an internal category used to refer to some threats"
        signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
        threshold = "4"
        strings_accuracy = "High"
    strings:
        $x_1_1 = "/var/tmp/sonia" ascii //weight: 1
        $x_1_2 = "/dev/FTWDT101_watchdog" ascii //weight: 1
        $x_2_3 = "/bin/busybox chmod 777" ascii //weight: 2
        $x_1_4 = "/dev/netslink/" ascii //weight: 1
        $x_1_5 = "/bin/busybox rm -rf .file" ascii //weight: 1
        $x_1_6 = "npxXoudifFeEgGaACScs" ascii //weight: 1
    condition:
        (filesize < 20MB) and
        (
            ((4 of ($x_1_*))) or
            ((1 of ($x_2_*) and 2 of ($x_1_*))) or
            (all of ($x*))
        )
}

Immediately isolate the infected Linux device from the network. Identify and terminate any malicious processes, then remove all associated files (e.g., in `/var/tmp/sonia`). Change all default or weak administrative credentials, update device firmware and software, and implement strong network segmentation and firewall rules to prevent reinfection and further propagation.