Backdoor:Linux/Mirai.GR!MTB - Windows Defender Threat Analysis

This detection identifies a specific variant (GR) of the Mirai botnet family on Linux platforms, confirmed by a concrete signature and behavioral analysis (!MTB). Mirai typically compromises IoT devices and servers, turning them into bots for large-scale Distributed Denial of Service (DDoS) attacks and other malicious activities, acting as a backdoor for remote control.

No specific strings found for this threat

rule Backdoor_Linux_Mirai_GR_2147910129_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Backdoor:Linux/Mirai.GR!MTB"
        threat_id = "2147910129"
        type = "Backdoor"
        platform = "Linux: Linux platform"
        family = "Mirai"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
        threshold = "2"
        strings_accuracy = "Low"
    strings:
        $x_1_1 = {05 00 1c 3c f4 84 9c 27 21 e0 99 03 d0 ff bd 27 28 00 bf af 10 00 bc af 5c 80 99 8f 18 00 a4 af 1c 00 a5 af 20 00 a6 af 06 10 04 24 18 00 a6 27 09 f8 20 03 03 00 05 24 10 00 bc 8f 28 00 bf 8f ?? ?? ?? ?? 08 00 e0 03 30 00 bd 27}  //weight: 1, accuracy: Low
        $x_1_2 = {05 00 1c 3c 1c 85 9c 27 21 e0 99 03 21 10 a0 00 5c 80 99 8f 21 38 c0 00 21 28 80 00 21 30 40 00 08 00 20 03 a5 0f 04 24}  //weight: 1, accuracy: High
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}

Immediately isolate the infected Linux system from the network to prevent further compromise or participation in botnet activities. Conduct a full system scan with updated security software, remove all detected malicious files, and patch any known vulnerabilities (especially default or weak credentials common in Mirai infections). Implement strong password policies, disable unnecessary services, and monitor network traffic for suspicious activity.