Backdoor:Linux/Mirai.EZ!MTB - Windows Defender Threat Analysis

This is the Mirai.EZ variant, a Linux-based backdoor detected through behavioral analysis (!MTB). It allows attackers to gain remote control over compromised Linux devices, typically enrolling them into a botnet to launch Distributed Denial of Service (DDoS) attacks.

No specific strings found for this threat

rule Backdoor_Linux_Mirai_EZ_2147901585_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Backdoor:Linux/Mirai.EZ!MTB"
        threat_id = "2147901585"
        type = "Backdoor"
        platform = "Linux: Linux platform"
        family = "Mirai"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
        threshold = "4"
        strings_accuracy = "High"
    strings:
        $x_1_1 = {10 c0 00 09 00 80 10 21 00 86 30 21 90 a2 00 00 00 00 00 00 a0 82 00 00 24 84 00 01 14 86 ff fb 24 a5 00 01 00 80 10 21 03 e0 00 08}  //weight: 1, accuracy: High
        $x_1_2 = "wabjtam" ascii //weight: 1
        $x_1_3 = "beardropper" ascii //weight: 1
        $x_1_4 = "/bin/busybox" ascii //weight: 1
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}

Isolate the infected Linux device, perform a full system scan to remove the malware, apply all available security patches, and reset any compromised credentials. Implement network segmentation and firewall rules to block known Mirai C2 communication and monitor for unusual network activity.