Backdoor:Linux/Mirai.DP!MTB - Windows Defender Threat Analysis

This detection identifies Backdoor:Linux/Mirai.DP!MTB, a specific variant of the notorious Mirai botnet. It operates as a backdoor on Linux systems, likely compromising IoT devices, to enlist them in a botnet for Distributed Denial of Service (DDoS) attacks, using specific paths like /tmp/condinetwork and /var/condibot for its operations.

No specific strings found for this threat

rule Backdoor_Linux_Mirai_DP_2147849354_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Backdoor:Linux/Mirai.DP!MTB"
        threat_id = "2147849354"
        type = "Backdoor"
        platform = "Linux: Linux platform"
        family = "Mirai"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
        threshold = "3"
        strings_accuracy = "High"
    strings:
        $x_1_1 = "/tmp/condinetwork" ascii //weight: 1
        $x_1_2 = "/var/condibot" ascii //weight: 1
        $x_1_3 = {7c 08 02 a6 94 21 ff f0 90 01 00 14 80 03 00 0c 2f 80 00 01 41 9e 00 2c 41 bd 00 10 2f 80 00 00 41 9e 00 50 48 00 00 14 2f 80 00 02 41 9e 00 54 2f 80 00 03 41 9e 00 6c 39 20 00 16 48 00 00 74}  //weight: 1, accuracy: High
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}

Immediately isolate affected Linux systems to prevent further network compromise and botnet activity. Locate and remove all associated malicious files and persistent mechanisms, particularly the indicated files like /tmp/condinetwork and /var/condibot. Patch all systems for known vulnerabilities, enforce strong, unique passwords for all devices (especially IoT), and monitor network traffic to block outbound connections to Mirai Command and Control (C2) servers.