Backdoor:Linux/Mirai.GS!MTB - Windows Defender Threat Analysis

This threat is a variant of the Mirai botnet malware, designed to infect Linux-based systems like IoT devices. The infected device is then incorporated into a botnet to participate in large-scale Distributed Denial of Service (DDoS) attacks. This specific detection was triggered by a machine learning model analyzing the file's behavior.

No specific strings found for this threat

rule Backdoor_Linux_Mirai_GS_2147913427_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Backdoor:Linux/Mirai.GS!MTB"
        threat_id = "2147913427"
        type = "Backdoor"
        platform = "Linux: Linux platform"
        family = "Mirai"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
        threshold = "2"
        strings_accuracy = "Low"
    strings:
        $x_1_1 = {00 95 04 20 80 0f 00 00 00 60 45 20 00 0c 00 b5 94 ?? 0f 85 42 20 40 00 0f a5 ?? ?? f0 a5 40 25 00 1e 2f 27 0c 10 15 0f 92 10 8a 20 81 18 81 d9 01 da 00 db 6f 22 3f 00}  //weight: 1, accuracy: Low
        $x_1_2 = {0b 20 00 a4 ae 01 04 00 04 26 80 1f 00 00 03 80 01 68 21 6f 04 79 99 09 21 80 04 1d 00 14 06 26 c0 73 00 00 00 04 cb 78 ?? ?? 04 27 8f 1f 00 00 00 80 e5 7e 44 26 c0 10 20 95 01 68 47 20 c0 00 14 68 04 21 81 0f 00 00 00 20 04 26 8e 1f ff ff 00 84}  //weight: 1, accuracy: Low
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}

Immediately isolate the affected device from the network. Re-image the system or perform a factory reset to ensure complete removal. Harden the device by changing all default credentials, disabling unnecessary services like Telnet, and applying the latest security patches and firmware updates to prevent reinfection.