Backdoor:Linux/Mirai.ER!MTB - Windows Defender Threat Analysis

This threat is a backdoor component of the Mirai botnet, designed to infect Linux-based systems like IoT devices and servers. Once infected, the system is controlled by an attacker and used to participate in large-scale Distributed Denial-of-Service (DDoS) attacks.

No specific strings found for this threat

rule Backdoor_Linux_Mirai_ER_2147905480_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Backdoor:Linux/Mirai.ER!MTB"
        threat_id = "2147905480"
        type = "Backdoor"
        platform = "Linux: Linux platform"
        family = "Mirai"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
        threshold = "2"
        strings_accuracy = "Low"
    strings:
        $x_1_1 = {21 00 00 3f 92 10 00 1b 96 14 23 ff d0 2f be cf 94 10 20 03}  //weight: 1, accuracy: High
        $x_1_2 = {05 00 00 3f a3 30 60 10 ac 10 a3 ff 82 10 20 00 a5 37 60 10 83 28 60 02 d4 07 be b8 a7 3d e0 18 e0 02 80 01 80 a4 80 16 02 80 ?? ?? b6 04 20 14}  //weight: 1, accuracy: Low
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}

Isolate the affected Linux device from the network. Identify and remove the malicious file, and change all default or weak credentials. If it's an IoT device, perform a factory reset or re-flash the firmware to a known-clean version and apply all security patches.