Backdoor:Linux/Mirai.BH!MTB - Windows Defender Threat Analysis

This threat is a variant of the Mirai botnet malware, which targets Linux-based systems and IoT devices. The compromised system is enlisted into a botnet to participate in large-scale Distributed Denial-of-Service (DDoS) attacks under the control of a remote attacker.

No specific strings found for this threat

rule Backdoor_Linux_Mirai_BH_2147818335_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Backdoor:Linux/Mirai.BH!MTB"
        threat_id = "2147818335"
        type = "Backdoor"
        platform = "Linux: Linux platform"
        family = "Mirai"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
        threshold = "3"
        strings_accuracy = "High"
    strings:
        $x_1_1 = {8b 19 89 d0 01 d8 89 eb 30 18 89 d0 8b 19 01 d8 89 fb 30 18 89 d0 8b 19 01 d8 89 f3 30 18 89 d0 8b 19 42 01 d8 8a 1c 24 30 18 8b 41 04 25 ff ff 00 00 39 d0 7f ca}  //weight: 1, accuracy: High
        $x_1_2 = "npxXoudifFeEgGaACScs" ascii //weight: 1
        $x_1_3 = {8b 14 08 89 53 10 8b 54 08 0c 66 89 53 14}  //weight: 1, accuracy: High
        $x_1_4 = {c7 43 34 00 00 00 00 89 43 30 c6 43 38 01 c6 43 39 03 c6 43 3a 03}  //weight: 1, accuracy: High
    condition:
        (filesize < 20MB) and
        (3 of ($x*))
}

Immediately isolate the compromised Linux system from the network to prevent its participation in attacks. Ensure the malware has been removed and perform a full system scan. Investigate the initial access vector, change all system credentials, and disable unnecessary services like Telnet.