Backdoor:Linux/Mirai.B - Windows Defender Threat Analysis

This is a concrete detection for a variant of the Mirai botnet malware, a threat designed to infect Linux-based systems and Internet of Things (IoT) devices. Once infected, the device becomes part of a botnet used to conduct large-scale Distributed Denial-of-Service (DDoS) attacks. The presence of this file on a Windows system likely indicates it is being stored or staged for an attack against other devices.

Relevant strings associated with this threat:
 - |#d1e49aac-8f56-4280-b9ba-993a6d77406c (NID)
 - }#d1e49aac-8f56-4280-b9ba-993a6d77406c (NID)
 - |#75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 (NID)
 - }#75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 (NID)
 - &|#b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 (NID)
 - &}#b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 (NID)
 - y*|#56a863a9-875e-4185-98a7-b882c64b5ce5 (NID)
 - y*}#56a863a9-875e-4185-98a7-b882c64b5ce5 (NID)
 - C|#be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 (NID)
 - C}#be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 (NID)
 - L|#3b576869-a4ec-4529-8536-b80a7769e899 (NID)
 - L}#3b576869-a4ec-4529-8536-b80a7769e899 (NID)
 - |#5beb7efe-fd9a-4556-801d-275e5ffc04cc (NID)
 - }#5beb7efe-fd9a-4556-801d-275e5ffc04cc (NID)
 - |#01443614-cd74-433a-b99e-2ecdc07bfc25 (NID)
 - }#01443614-cd74-433a-b99e-2ecdc07bfc25 (NID)
 - |#d3e037e1-3eb8-44c8-a917-57927947596d (NID)
 - }#d3e037e1-3eb8-44c8-a917-57927947596d (NID)
 - |#7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c (NID)
 - }#7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c (NID)

rule Backdoor_Linux_Mirai_B_2147721642_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Backdoor:Linux/Mirai.B"
        threat_id = "2147721642"
        type = "Backdoor"
        platform = "Linux: Linux platform"
        family = "Mirai"
        severity = "Critical"
        signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
        threshold = "7"
        strings_accuracy = "High"
    strings:
        $x_1_1 = "nmnlmevdm" ascii //weight: 1
        $x_1_2 = "XMNNCPF" ascii //weight: 1
        $x_1_3 = "egvnmacnkr" ascii //weight: 1
        $x_1_4 = "GLC@NG" ascii //weight: 1
        $x_1_5 = "Q[QVGO" ascii //weight: 1
        $x_1_6 = "LAMPPGAV" ascii //weight: 1
        $x_1_7 = "AJWLIGF" ascii //weight: 1
        $n_1_8 = "GET /shell?cat%%20/etc/passwd" ascii //weight: -1
        $n_1_9 = "GET /system.ini?loginuse&loginpas" ascii //weight: -1
    condition:
        (filesize < 20MB) and
        (not (any of ($n*))) and
        (all of ($x*))
}

Immediately use your security software to quarantine and remove the detected file. Investigate the file's origin to determine how it was introduced to the system. Scan your network for vulnerable Linux or IoT devices, ensure all default credentials have been changed, and apply the latest security patches to prevent infection.