Concrete signature match: Backdoor - Provides unauthorized remote access for Linux platform, family Mirai
This is a concrete detection of Backdoor:Linux/Mirai.FA!MTB, a variant of the infamous Mirai botnet specifically targeting Linux systems. It establishes a backdoor, enabling attackers to gain remote control and enroll the device into a botnet for DDoS attacks or other malicious operations.
No specific strings found for this threat
rule Backdoor_Linux_Mirai_FA_2147901928_0
{
meta:
author = "threatcheck.sh"
detection_name = "Backdoor:Linux/Mirai.FA!MTB"
threat_id = "2147901928"
type = "Backdoor"
platform = "Linux: Linux platform"
family = "Mirai"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
threshold = "2"
strings_accuracy = "High"
strings:
$x_1_1 = {10 73 00 55 24 02 00 09 10 62 00 53 24 02 00 01 10 e2 00 47 00 00 00 00 00 00 38 21 28 a2 00 07 10 40 00 05 24 84 00 01 80 83 00 00 24 c6 00 01 14 60 ff f3} //weight: 1, accuracy: High
$x_1_2 = "someoffdeeznuts" ascii //weight: 1
condition:
(filesize < 20MB) and
(all of ($x*))
}010ca004c63f05c7669006aac355eeaa3684e23faa8f8abf7f739ea4eed92347Immediately isolate affected Linux systems, remove the malicious file, and reset all credentials on compromised devices. Patch any identified vulnerabilities, implement network segmentation, and enable continuous monitoring to prevent reinfection.