Backdoor:Linux/Mirai.FV!MTB - Windows Defender Threat Analysis

This detection identifies a Backdoor:Linux/Mirai.FV!MTB variant, a sophisticated threat primarily targeting Linux-based IoT devices. It acts as a backdoor, establishing persistent access to infected systems and typically enlisting them into a Mirai botnet for large-scale Distributed Denial of Service (DDoS) attacks.

No specific strings found for this threat

rule Backdoor_Linux_Mirai_FV_2147906265_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Backdoor:Linux/Mirai.FV!MTB"
        threat_id = "2147906265"
        type = "Backdoor"
        platform = "Linux: Linux platform"
        family = "Mirai"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
        threshold = "2"
        strings_accuracy = "Low"
    strings:
        $x_1_1 = {20 40 d1 d1 bb 10 20 40 d1 d1 b9 10 20 40 d1 d1 b7 10 20 40 d1 d1 b5 10 52 80 42 81 32 29 00 04 b0 81}  //weight: 1, accuracy: High
        $x_1_2 = {20 6e 00 08 30 10 00 40 00 08 22 6e 00 08 32 80 20 6e 00 08 20 28 00 0c 22 00 22 6e 00 08 20 29 00 08 24 01 94 80 2d 42 ff f8 4a ae ff f8 ?? ?? 20 2e ff f8 b0 ae ff f0 ?? ?? 2d 6e ff f0 ff f8}  //weight: 1, accuracy: Low
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}

Immediately isolate the infected Linux device from the network. Change all default or weak credentials, apply all available firmware and software updates, and perform a factory reset or a full system re-image if possible. Implement strong firewall rules and monitor network traffic for outbound connections to command-and-control servers.