Backdoor:Linux/Mirai.DC!MTB - Windows Defender Threat Analysis

This detection identifies a Linux system compromised by a Mirai variant, specifically Mirai.DC. This malware functions as a backdoor, granting unauthorized access to the system and enlisting it into a botnet to launch potent Distributed Denial of Service (DDoS) attacks, as indicated by embedded strings like "attack_tcp.c" and "flood_tcp_ack". The !MTB suffix confirms that machine learning behavioral analysis strongly corroborated this malicious activity.

No specific strings found for this threat

rule Backdoor_Linux_Mirai_DC_2147833473_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Backdoor:Linux/Mirai.DC!MTB"
        threat_id = "2147833473"
        type = "Backdoor"
        platform = "Linux: Linux platform"
        family = "Mirai"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
        threshold = "4"
        strings_accuracy = "High"
    strings:
        $x_1_1 = "attack_tcp.c" ascii //weight: 1
        $x_1_2 = "chacha20_quarterround" ascii //weight: 1
        $x_1_3 = "attack_udp.c" ascii //weight: 1
        $x_1_4 = "mylock" ascii //weight: 1
        $x_1_5 = "flood_tcp_ack" ascii //weight: 1
    condition:
        (filesize < 20MB) and
        (4 of ($x*))
}

Immediately isolate the affected Linux system from the network. Eradicate the Mirai malware using trusted security tools, then apply all critical security patches and update default or weak credentials. Implement strict firewall rules and network segmentation to block C2 communication and outbound DDoS traffic, and continuously monitor for any signs of reinfection or persistent unauthorized access.