Backdoor:Linux/Mirai.HD!MTB - Windows Defender Threat Analysis

This detection identifies a Linux-based Mirai botnet variant, 'Mirai.HD,' acting as a backdoor. Mirai is a notorious malware that infects IoT devices to launch large-scale distributed denial-of-service (DDoS) attacks. This specific detection was made through concrete machine learning behavioral analysis.

No specific strings found for this threat

rule Backdoor_Linux_Mirai_HD_2147906813_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Backdoor:Linux/Mirai.HD!MTB"
        threat_id = "2147906813"
        type = "Backdoor"
        platform = "Linux: Linux platform"
        family = "Mirai"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
        threshold = "2"
        strings_accuracy = "Low"
    strings:
        $x_1_1 = {04 10 a0 e1 80 20 a0 e3 05 00 a0 e1 9b ff ff eb 00 20 50 e2 04 10 a0 e1 07 00 a0 e1 01 ?? ?? ?? 8b ff ff eb f5 ?? ?? ?? 05 00 a0 e1 69 ff ff eb 07 00 a0 e1 67 ff ff eb 3c 10 9f e5 04 20 a0 e3 01 00 a0 e3 82 ff ff eb 05 00 a0 e3 59 ff ff eb 98 d0 8d e2 f0 41 bd e8}  //weight: 1, accuracy: Low
        $x_1_2 = {20 21 9f e5 20 01 9f e5 aa ff ff eb 01 10 a0 e3 00 70 a0 e1 06 20 a0 e1 02 00 a0 e3 d2 ff ff eb 01 00 70 e3 01 00 77 13 00 50 a0 e1 01 00 a0 03 ?? ff ff 0b 05 00 a0 e1 84 10 8d e2 10 20 a0 e3 a7 ff ff eb 00 40 50 e2 05 ?? ?? ?? 01 00 a0 e3 d8 10 9f e5 04 20 a0 e3}  //weight: 1, accuracy: Low
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}

Immediately isolate the infected Linux device from the network. Conduct a full system scan with updated security software and remove all detected malicious files. Patch any known vulnerabilities on the device, change default or weak credentials, and harden network configurations by blocking unnecessary inbound/outbound connections and disabling unneeded services. Implement continuous security monitoring to prevent re-infection.