Backdoor:Linux/Mirai.FE!MTB - Windows Defender Threat Analysis

This detection identifies a variant of the Mirai botnet malware, which targets Linux-based systems and IoT devices. The malware creates a backdoor, adding the infected system to a botnet used for launching Distributed Denial-of-Service (DDoS) attacks. The '!MTB' suffix indicates this was identified by a machine learning behavioral model.

No specific strings found for this threat

rule Backdoor_Linux_Mirai_FE_2147913993_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Backdoor:Linux/Mirai.FE!MTB"
        threat_id = "2147913993"
        type = "Backdoor"
        platform = "Linux: Linux platform"
        family = "Mirai"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
        threshold = "2"
        strings_accuracy = "Low"
    strings:
        $x_1_1 = {30 84 00 ff 18 ?? ?? ?? 30 c6 00 ff ?? a2 00 04 00 00 00 00 10 ?? ?? ?? 24 a3 00 08 10 ?? ?? ?? 00 00 40 21 ?? 62 00 04 00 00 00 00 10 ?? ?? ?? 24 63 00 08}  //weight: 1, accuracy: Low
        $x_1_2 = {00 04 18 c0 00 04 11 40 00 43 10 23 00 5e 28 21 8f a2 00 68 00 04 18 80 00 62 18 21 ?? a2 00 14 8c 71 00 00 2c 42 00 20 14 40 00 47 26 32 00 14 8f a3 00 28 24 02 ff ff}  //weight: 1, accuracy: Low
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}

Isolate the affected system from the network immediately. Identify the source of the Linux file (e.g., WSL, container, downloaded file) and ensure its deletion. If this threat was active on a device, re-flash its firmware and change all default credentials to strong, unique passwords.