Concrete signature match: Backdoor - Provides unauthorized remote access for Linux platform, family Mirai
Backdoor:Linux/Mirai.GY!MTB is a concrete detection of a Mirai botnet variant targeting Linux systems, often IoT devices. It functions as a backdoor, allowing attackers to enroll the compromised device into a botnet for Distributed Denial of Service (DDoS) attacks and other malicious operations. This specific variant was identified with the aid of machine learning behavioral analysis.
No specific strings found for this threat
rule Backdoor_Linux_Mirai_GY_2147906812_0
{
meta:
author = "threatcheck.sh"
detection_name = "Backdoor:Linux/Mirai.GY!MTB"
threat_id = "2147906812"
type = "Backdoor"
platform = "Linux: Linux platform"
family = "Mirai"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
threshold = "2"
strings_accuracy = "Low"
strings:
$x_1_1 = {21 e0 99 03 d8 ff bd 27 20 00 bf af 1c 00 b1 af 18 00 b0 af 10 00 bc af 21 80 a0 00 30 80 99 8f 21 88 80 00 21 28 00 00 21 20 00 02 09 f8 20 03 98 00 06 24 00 00 22 8e 10 00 bc 8f 04 00 00 ae 00 00 02 ae 10 00 22 8e} //weight: 1, accuracy: High
$x_1_2 = {ff ff 4a 25 00 00 42 a1 ff ff c6 24 fb ?? ?? ?? ff ff a5 24 01 00 a5 24 21 10 00 02 1c 00 bf 8f 18 00 b0 8f 08 00 e0 03 20 00 bd 27} //weight: 1, accuracy: Low
condition:
(filesize < 20MB) and
(all of ($x*))
}9eb509dbe6cafe6aa0a39a8416d809d0197ff5929702df6b1297c7158d3d490c0143574aec9904c19cbf2f74c80e24893f58bc8eda6a6f528694801c7b84405158e109fdd224922c229934af8d657b8cebdbfbc2477a7d0d0c5b36bce69d84305da855361da78faae3242c270b61901c26422ec99c07d63d3289d74505f81c46eac8aff4e049d416ba169a010dd35ff1c23f8f7f259b99eacba1b45a2680b1c5Immediately isolate any affected Linux systems from the network to prevent further compromise. Conduct a thorough system scan with up-to-date security software to remove the malware. Patch all system vulnerabilities, particularly focusing on changing default or weak credentials, as Mirai frequently exploits these. Implement network segmentation and monitor for unusual outbound network traffic indicative of botnet activity.