Backdoor:Linux/Mirai.FO!MTB - Windows Defender Threat Analysis

This detection identifies a backdoor from the Mirai botnet family on a Linux system or file. Mirai compromises devices with weak credentials to absorb them into a botnet used for Distributed Denial-of-Service (DDoS) attacks. The infected system can be fully controlled by a remote attacker.

No specific strings found for this threat

rule Backdoor_Linux_Mirai_FO_2147913526_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Backdoor:Linux/Mirai.FO!MTB"
        threat_id = "2147913526"
        type = "Backdoor"
        platform = "Linux: Linux platform"
        family = "Mirai"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
        threshold = "2"
        strings_accuracy = "Low"
    strings:
        $x_1_1 = {3c 30 97 e5 07 00 53 e3 3c 50 94 c5 1f ?? ?? ?? 04 00 a0 e1 cd ?? ?? ?? 00 20 a0 e3 00 00 5a e3 00 20 c6 e5 b2 ?? ?? ?? 44 30 d7 e5 02 00 53 e1 b1 ?? ?? ?? 05 30 dd e5 2d 00 53 e3 02 10 a0 01 02 ?? ?? ?? 05 00 5b e3 00 10 a0 c3}  //weight: 1, accuracy: Low
        $x_1_2 = {00 00 59 e3 00 00 89 15 00 00 5a e3 02 71 e0 03 02 71 a0 13 00 60 e0 03 00 60 a0 13 00 30 5b e2 01 30 a0 13 07 00 55 e1 00 20 a0 e3}  //weight: 1, accuracy: High
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}

Isolate the affected Linux system (e.g., WSL, container). Change all default and weak passwords on the device and other network assets. Ensure the detected file is removed and run a full system scan for other malicious components.