Concrete signature match: Backdoor - Provides unauthorized remote access for Linux platform, family Mirai
This is a concrete detection of Backdoor:Linux/Mirai.EX, a variant of the Mirai botnet specifically targeting Linux systems. This malware establishes a backdoor, allowing attackers to gain remote control over the compromised device, typically an IoT device, and enlist it into a botnet for launching Distributed Denial of Service (DDoS) attacks.
No specific strings found for this threat
rule Backdoor_Linux_Mirai_EX_2147913421_0
{
meta:
author = "threatcheck.sh"
detection_name = "Backdoor:Linux/Mirai.EX!MTB"
threat_id = "2147913421"
type = "Backdoor"
platform = "Linux: Linux platform"
family = "Mirai"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
threshold = "2"
strings_accuracy = "Low"
strings:
$x_1_1 = {04 00 42 92 00 00 43 8e 05 00 52 26 14 00 a2 a0 04 00 a3 ac 10 00 a3 ac 00 00 a6 a4 f8 ff 92 14 18 00 a5 24 21 10 d7 02 23 10 22 02 fa ff 54 24} //weight: 1, accuracy: High
$x_1_2 = {21 10 43 02 00 00 42 80 00 00 00 00 ec ff 40 10 00 00 00 00 ?? ?? ?? ?? 01 00 63 24 ff ff 63 24 03 00 71 24 02 00 66 24 21 10 a6 02 20 00 43 80 00 00 00 00 c8 01 60 10 20 00 02 24 c5 01 62 10 01 00 c2 24 21 10 42 02 21 20 c0 00 03 00 00 10 20 00 05 24} //weight: 1, accuracy: Low
condition:
(filesize < 20MB) and
(all of ($x*))
}c8bc60f2b1ebfae6c2055a21312357cecca4f70ae72d79943e22f86164dd6a1bImmediately isolate the affected Linux device from the network. Remove the detected malware using an updated antivirus solution or by re-imaging the device. Change all default or weak credentials, apply all available security patches to the operating system and installed software, and implement network segmentation to prevent further spread.