Backdoor:Linux/Mirai.GJ!MTB - Windows Defender Threat Analysis

This is a concrete detection of Backdoor:Linux/Mirai.GJ!MTB, a variant of the Mirai botnet malware targeting Linux systems. It establishes unauthorized access, likely enrolling the compromised device into a botnet to launch Distributed Denial of Service (DDoS) attacks, confirmed by specific byte patterns and machine learning behavioral analysis.

No specific strings found for this threat

rule Backdoor_Linux_Mirai_GJ_2147906254_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Backdoor:Linux/Mirai.GJ!MTB"
        threat_id = "2147906254"
        type = "Backdoor"
        platform = "Linux: Linux platform"
        family = "Mirai"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
        threshold = "2"
        strings_accuracy = "High"
    strings:
        $x_1_1 = {f0 35 9f e5 02 00 5c e1 03 30 98 e7 00 c0 a0 23 1c 10 a0 e3 9c 31 23 e0 64 c0 8d e5 68 c0 9d e5 01 20 8c e2 10 00 9d e5 02 28 a0 e1 22 28 a0 e1 68 20 8d e5 0c 10 9d e5 b0 20 88 e1 64 20 9d e5 01 20 88 e7 03 e0 a0 e1 0f 00 be e8}  //weight: 1, accuracy: High
        $x_1_2 = {1c 00 90 e5 04 10 a0 e1 a9 04 00 eb 00 00 55 e3 44 51 84 e5 1c 00 94 05 f9 04 00 0b 04 d0 8d e2 30 40 bd e8 1e ff 2f e1}  //weight: 1, accuracy: High
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}

Immediately isolate the compromised Linux system from the network. Identify and terminate the Mirai process, then perform a full system scan with up-to-date antivirus/EDR to remove the malware. Change all default and weak credentials, apply all available security patches, and harden the system by disabling unnecessary services and configuring strong firewall rules. Monitor network traffic for any residual malicious activity.