Concrete signature match: Backdoor - Provides unauthorized remote access for Linux platform, family Mirai
Backdoor:Linux/Mirai.GV!MTB is a concrete detection of a Mirai variant targeting Linux systems. This malware establishes a backdoor to enroll the compromised device into a botnet, primarily for launching distributed denial-of-service (DDoS) attacks against other targets.
No specific strings found for this threat
rule Backdoor_Linux_Mirai_GV_2147906728_0
{
meta:
author = "threatcheck.sh"
detection_name = "Backdoor:Linux/Mirai.GV!MTB"
threat_id = "2147906728"
type = "Backdoor"
platform = "Linux: Linux platform"
family = "Mirai"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
threshold = "2"
strings_accuracy = "Low"
strings:
$x_1_1 = {80 10 12 00 21 10 50 00 02 00 43 2a 39 ?? ?? ?? 00 00 40 ac 54 00 a3 8f 01 00 02 24 3d ?? ?? ?? 02 00 02 24 12 ?? ?? ?? 01 00 11 24 98 80 99 8f 00 00 05 8e 4c 00 a4 8f 09 f8 20 03} //weight: 1, accuracy: Low
$x_1_2 = {0f 00 84 30 80 18 03 00 2b 10 02 00 c0 20 04 00 25 18 64 00 40 10 02 00 2b 28 05 00 25 28 a3 00 25 10 c2 00 25 10 45 00 02 00 02 a1 18 00 e2 8c 00 00 00 00 02 ?? ?? ?? 80 ff 03 24 21 18 00 00} //weight: 1, accuracy: Low
condition:
(filesize < 20MB) and
(all of ($x*))
}9cd058aa7d572fb8e304619d808d2a5d26ac42580c40080c3ac0623a54e2a6961. Immediately isolate the infected Linux device from the network to prevent further compromise or participation in attacks. 2. Perform a full system scan with up-to-date antivirus/antimalware software and remove all detected threats. 3. Change all default or weak credentials on affected devices, enforce strong, unique passwords, and enable SSH key-based authentication where possible. 4. Apply all available security patches, firmware updates, and disable unnecessary services to close potential exploit vectors. 5. Implement network segmentation and firewall rules to restrict inbound and outbound connections for IoT devices to only essential services.