Backdoor:Linux/Mirai.ED!MTB - Windows Defender Threat Analysis

This threat is a variant of the Mirai malware, a notorious botnet that infects Linux-based systems, particularly Internet of Things (IoT) devices. Once infected, the device is controlled by a remote attacker and used to participate in large-scale Distributed Denial of Service (DDoS) attacks. This detection is based on machine learning behavioral analysis, indicating the file exhibits actions consistent with this malware family.

No specific strings found for this threat

rule Backdoor_Linux_Mirai_ED_2147890021_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Backdoor:Linux/Mirai.ED!MTB"
        threat_id = "2147890021"
        type = "Backdoor"
        platform = "Linux: Linux platform"
        family = "Mirai"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
        threshold = "1"
        strings_accuracy = "High"
    strings:
        $x_1_1 = {00 38 f7 f1 29 04 a2 a6 db 3b 60 8d a0 6c 34 da b4 3a 80 f4 31 02 89 34 73 19 88 be 99 5f 98 0e 32 54 ae 03 d6 12 0f 27 80 42 05 de d8 5e b4 e0 a6 40 cd 53 f6 2e 9c 2a 07 36 5b fa 9f 7c f0 2e cb 1a 53 8d 95 7a 07 9f 4f 12 df a9 0f 66 40 d3 84}  //weight: 1, accuracy: High
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}

Immediately isolate the affected Linux device from the network to prevent further malicious activity. Remove the detected file and, if possible, perform a factory reset to ensure complete removal. Change all default credentials to strong, unique passwords and apply the latest security patches and firmware updates to prevent reinfection.