Backdoor:Linux/Mirai.GY!MTB - Windows Defender Threat Analysis

Backdoor:Linux/Mirai.GY!MTB is a concrete detection of a Mirai botnet variant targeting Linux systems, often IoT devices. It functions as a backdoor, allowing attackers to enroll the compromised device into a botnet for Distributed Denial of Service (DDoS) attacks and other malicious operations. This specific variant was identified with the aid of machine learning behavioral analysis.

No specific strings found for this threat

rule Backdoor_Linux_Mirai_GY_2147906812_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Backdoor:Linux/Mirai.GY!MTB"
        threat_id = "2147906812"
        type = "Backdoor"
        platform = "Linux: Linux platform"
        family = "Mirai"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
        threshold = "2"
        strings_accuracy = "Low"
    strings:
        $x_1_1 = {21 e0 99 03 d8 ff bd 27 20 00 bf af 1c 00 b1 af 18 00 b0 af 10 00 bc af 21 80 a0 00 30 80 99 8f 21 88 80 00 21 28 00 00 21 20 00 02 09 f8 20 03 98 00 06 24 00 00 22 8e 10 00 bc 8f 04 00 00 ae 00 00 02 ae 10 00 22 8e}  //weight: 1, accuracy: High
        $x_1_2 = {ff ff 4a 25 00 00 42 a1 ff ff c6 24 fb ?? ?? ?? ff ff a5 24 01 00 a5 24 21 10 00 02 1c 00 bf 8f 18 00 b0 8f 08 00 e0 03 20 00 bd 27}  //weight: 1, accuracy: Low
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}

Immediately isolate any affected Linux systems from the network to prevent further compromise. Conduct a thorough system scan with up-to-date security software to remove the malware. Patch all system vulnerabilities, particularly focusing on changing default or weak credentials, as Mirai frequently exploits these. Implement network segmentation and monitor for unusual outbound network traffic indicative of botnet activity.