Concrete signature match: Backdoor - Provides unauthorized remote access for Linux platform, family Mirai
This is a concrete detection of a Linux backdoor from the Mirai botnet family. The malware is designed to infect Linux-based systems, including IoT devices, and enlist them into a botnet for launching DDoS attacks. Its presence on a Windows system suggests the file is being stored, staged, or is potentially active within a Windows Subsystem for Linux (WSL) environment.
No specific strings found for this threat
rule Backdoor_Linux_Mirai_GM_2147913425_0
{
meta:
author = "threatcheck.sh"
detection_name = "Backdoor:Linux/Mirai.GM!MTB"
threat_id = "2147913425"
type = "Backdoor"
platform = "Linux: Linux platform"
family = "Mirai"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
threshold = "2"
strings_accuracy = "High"
strings:
$x_1_1 = {14 00 67 20 b6 28 00 04 67 18 43 e8 00 06 42 81 52 81 b2 82 67 0e 20 49 10 29 00 04 5c 89 b6 00 66 ee 28 10 20 44 20 08 4c df 00 1c 4e 75} //weight: 1, accuracy: High
$x_1_2 = {d1 ef 00 30 20 03 d0 8a 20 92 11 6a 00 04 00 04 5a 8a 5b 82 31 7c 00 02 ff f0 21 50 ff f4 41 e8 00 16 b0 8a 66 e2 4a 82 66 46 99 cc 4a af 00 30} //weight: 1, accuracy: High
condition:
(filesize < 20MB) and
(all of ($x*))
}7bbac0793815037c1b8d6431da613d5f30c68ae17c0873524d38ca4ada701c201. Use your security software to quarantine and remove the detected file. 2. If Windows Subsystem for Linux (WSL) or other Linux environments are used on this machine, investigate them for signs of compromise. 3. Scan the network for other vulnerable Linux or IoT devices, change all default credentials, and apply security patches.