Concrete signature match: Backdoor - Provides unauthorized remote access for Linux platform, family Mirai
This is a concrete detection of Backdoor:Linux/Mirai.GJ!MTB, a variant of the Mirai botnet malware targeting Linux systems. It establishes unauthorized access, likely enrolling the compromised device into a botnet to launch Distributed Denial of Service (DDoS) attacks, confirmed by specific byte patterns and machine learning behavioral analysis.
No specific strings found for this threat
rule Backdoor_Linux_Mirai_GJ_2147906254_0
{
meta:
author = "threatcheck.sh"
detection_name = "Backdoor:Linux/Mirai.GJ!MTB"
threat_id = "2147906254"
type = "Backdoor"
platform = "Linux: Linux platform"
family = "Mirai"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
threshold = "2"
strings_accuracy = "High"
strings:
$x_1_1 = {f0 35 9f e5 02 00 5c e1 03 30 98 e7 00 c0 a0 23 1c 10 a0 e3 9c 31 23 e0 64 c0 8d e5 68 c0 9d e5 01 20 8c e2 10 00 9d e5 02 28 a0 e1 22 28 a0 e1 68 20 8d e5 0c 10 9d e5 b0 20 88 e1 64 20 9d e5 01 20 88 e7 03 e0 a0 e1 0f 00 be e8} //weight: 1, accuracy: High
$x_1_2 = {1c 00 90 e5 04 10 a0 e1 a9 04 00 eb 00 00 55 e3 44 51 84 e5 1c 00 94 05 f9 04 00 0b 04 d0 8d e2 30 40 bd e8 1e ff 2f e1} //weight: 1, accuracy: High
condition:
(filesize < 20MB) and
(all of ($x*))
}e63595cd147362ea9c07240aa9fe7f1b9a8c81b242468daddb7aea7766648139bb25c747f9d408fe0e9b189c7a66f1d661fdc11283ce711dcc66abf68d96302ca93d028cd0383852dca208935fa57bd4aaf88c0db6359839108282924bce0956178be0af18b4780b4604a928daf02cbc4718b38cfdcdbec09e8e54e3cb15768549459102df62bafa1f7f84b9740262e47ee06bea8b7be5610bb345dc1d46d3ffImmediately isolate the compromised Linux system from the network. Identify and terminate the Mirai process, then perform a full system scan with up-to-date antivirus/EDR to remove the malware. Change all default and weak credentials, apply all available security patches, and harden the system by disabling unnecessary services and configuring strong firewall rules. Monitor network traffic for any residual malicious activity.