Backdoor:Linux/Mirai.DZ!MTB - Windows Defender Threat Analysis

This threat is a variant of the Mirai botnet malware, which targets Linux-based systems, primarily IoT devices. The malware creates a backdoor, allowing the compromised device to be controlled remotely and used in large-scale Distributed Denial-of-Service (DDoS) attacks. The detection is based on a combination of machine learning behavioral analysis and specific strings found in the malicious file.

No specific strings found for this threat

rule Backdoor_Linux_Mirai_DZ_2147852954_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Backdoor:Linux/Mirai.DZ!MTB"
        threat_id = "2147852954"
        type = "Backdoor"
        platform = "Linux: Linux platform"
        family = "Mirai"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
        threshold = "3"
        strings_accuracy = "High"
    strings:
        $x_1_1 = {89 c2 83 ee 02 c1 e2 0b 31 c2 44 89 c0 c1 e8 13 89 d1 44 31 c0 c1 e9 08 31 c2 31 d1 66 89 0f 48 83 c7 02}  //weight: 1, accuracy: High
        $x_1_2 = "/usr/compress/bin/" ascii //weight: 1
        $x_1_3 = "mnt/mtd/app/gui" ascii //weight: 1
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}

Isolate the affected device from the network immediately to prevent it from participating in attacks. Remove the detected malicious file and terminate its process. Change all default or weak credentials on the device to strong, unique passwords and update its firmware to the latest version to prevent reinfection.