Backdoor:Linux/Mirai.CH!xp - Windows Defender Threat Analysis

This detection identifies a specific variant of the Mirai botnet malware, a backdoor designed to infect Linux-based systems. Once compromised, the device is added to a botnet and used to launch large-scale Distributed Denial of Service (DDoS) attacks. The malware spreads by scanning for other vulnerable devices with weak or default credentials.

No specific strings found for this threat

rule Backdoor_Linux_Mirai_CH_2147822371_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Backdoor:Linux/Mirai.CH!xp"
        threat_id = "2147822371"
        type = "Backdoor"
        platform = "Linux: Linux platform"
        family = "Mirai"
        severity = "Critical"
        info = "xp: an internal category used to refer to some threats"
        signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
        threshold = "1"
        strings_accuracy = "High"
    strings:
        $x_1_1 = {01 7f 84 e3 78 38 a0 00 18 38 c0 00 01 7c 7b 1b 78 7f a3 eb 78 48 00 21 29 7f 84 e3 78 38 a0 00 07 38 c0}  //weight: 1, accuracy: High
        $x_1_2 = {4a 14 7c 09 03 a6 4e 80 04 20 81 21 51 44 3a 41 00 08 3a c1 01 2c 2e 09 00 00 38}  //weight: 1, accuracy: High
    condition:
        (filesize < 20MB) and
        (1 of ($x*))
}

Immediately isolate the affected system from the network to prevent lateral movement and communication with its command-and-control server. Quarantine and delete the detected file. Change all default and weak passwords on the device and any other Linux/IoT systems on the network, and ensure systems are patched and securely configured.