Concrete signature match: Backdoor - Provides unauthorized remote access for Linux platform, family Mirai
This is a Mirai botnet variant targeting Linux systems, identified via behavioral analysis. It functions as a backdoor, gaining unauthorized remote access and likely attempts to recruit the compromised device into a larger botnet by downloading and executing additional payloads for specific architectures.
No specific strings found for this threat
rule Backdoor_Linux_Mirai_DJ_2147849384_0
{
meta:
author = "threatcheck.sh"
detection_name = "Backdoor:Linux/Mirai.DJ!MTB"
threat_id = "2147849384"
type = "Backdoor"
platform = "Linux: Linux platform"
family = "Mirai"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
threshold = "4"
strings_accuracy = "Low"
strings:
$x_1_1 = "/var/CondiBot" ascii //weight: 1
$x_1_2 = "boatnet" ascii //weight: 1
$x_1_3 = {2f 62 69 6e 2f 7a 68 74 74 70 64 2f ?? ?? ?? ?? ?? ?? 63 64 ?? ?? ?? ?? ?? ?? 2f 74 6d 70 3b ?? ?? ?? ?? ?? ?? 72 6d ?? ?? ?? ?? ?? ?? 2d 72 66 ?? ?? ?? ?? ?? ?? 2a 3b ?? ?? ?? ?? ?? ?? 77 67 65 74 ?? ?? ?? ?? ?? ?? 68 74 74 70 3a 2f 2f [0-21] 2f 6d 69 70 73 3b ?? ?? ?? ?? ?? ?? 63 68 6d 6f 64} //weight: 1, accuracy: Low
$x_1_4 = "/tmp/condinetwork" ascii //weight: 1
condition:
(filesize < 20MB) and
(all of ($x*))
}064d3f5754a1730f796a4ad988cf1c6aba359dd4e08ec15dc56cd4d2da0f2910Immediately isolate the infected Linux host. Remove the detected malicious files and any associated persistence mechanisms. Patch underlying vulnerabilities that allowed the compromise, reset compromised credentials, and monitor network traffic for command-and-control (C2) communications.