Concrete signature match: Backdoor - Provides unauthorized remote access for Linux platform, family Mirai
This is a concrete detection of a Linux/Mirai botnet variant identified as 'CN', which functions as a backdoor. This malware typically targets Linux-based IoT devices and servers to enroll them into a botnet for launching Distributed Denial of Service (DDoS) attacks.
No specific strings found for this threat
rule Backdoor_Linux_Mirai_CN_2147823188_0
{
meta:
author = "threatcheck.sh"
detection_name = "Backdoor:Linux/Mirai.CN!MTB"
threat_id = "2147823188"
type = "Backdoor"
platform = "Linux: Linux platform"
family = "Mirai"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
threshold = "1"
strings_accuracy = "High"
strings:
$x_1_1 = {80 71 91 e7 03 40 d7 e7 05 40 24 e0 03 40 c7 e7 80 71 91 e7 03 40 d7 e7 0c 40 24 e0 03 40 c7 e7 80 71 91 e7 03 40 d7 e7 0e 40 24 e0 03 40 c7 e7 80 71 91 e7 03 40 d7 e7 02 40 24 e0 03 40 c7 e7 01 30 83 e2} //weight: 1, accuracy: High
$x_1_2 = {f7 03 00 2a a0 02 40 f9 96 02 80 52 f3 c3 02 91 78 19 00 94 c1 02 00 4b a0 02 40 f9 f4 0a c1 1a 94 de 01 1b 73 19 00 94 14 00 14 0b e0 03 13 aa e1 03 14 2a a3 0e 00 94 a0 02 40 f9 e1 03 13 aa 7f ca 34 38} //weight: 1, accuracy: High
condition:
(filesize < 20MB) and
(1 of ($x*))
}9b847a1f53ecafb25c6afaf25dc4e343ff2980b360b82cbb80e39953e913f2a4Immediately isolate the infected Linux system from the network to prevent further compromise. Perform a full system scan with an updated anti-malware solution, remove the detected threat, and identify and close any open ports or services that may have been exploited. Ensure all system software and credentials are up to date and strong.