Concrete signature match: Backdoor - Provides unauthorized remote access for Linux platform, family Mirai
This is a concrete detection of a Linux-based Mirai variant (HF) identified through machine learning behavioral analysis (!MTB). Mirai is a notorious botnet malware that compromises Linux IoT devices, often by brute-forcing weak credentials, to enlist them into a botnet for launching large-scale Distributed Denial of Service (DDoS) attacks.
No specific strings found for this threat
rule Backdoor_Linux_Mirai_HF_2147906490_0
{
meta:
author = "threatcheck.sh"
detection_name = "Backdoor:Linux/Mirai.HF!MTB"
threat_id = "2147906490"
type = "Backdoor"
platform = "Linux: Linux platform"
family = "Mirai"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
threshold = "2"
strings_accuracy = "Low"
strings:
$x_1_1 = {2d 6e 00 1c ff d8 50 ae 00 1c 51 ae 00 20 72 0f b2 ae ff fc ?? ?? 70 22 2d 40 ff d0 60 00 ?? ?? 2d 6e ff f8 ff dc 72 10 d3 ae ff f8 70 f0 d1 ae ff fc 72 07 b2 ae ff fc ?? ?? 70 22 2d 40 ff d0} //weight: 1, accuracy: Low
$x_1_2 = {20 6e ff f4 12 10 20 6e ff f8 10 10 b0 01 ?? ?? 52 ae ff f8 20 6e ff f8 10 10 4a 00 ?? ?? 20 6e ff f8 10 10 4a 00} //weight: 1, accuracy: Low
condition:
(filesize < 20MB) and
(all of ($x*))
}b92b53b7558fd6d52fdf8ebc6424d99cfa9b4a41bf4289f4ccde63407b4846c57210ea75c3e6237fd99c1eeef63a8fe842c36d15b592d9d8e75c16398d4c5196ffce43f8d771f3a62a8acf6afd0f6aafa8155e0957d05dcc6b64ae9eb3108202a77fd13a176777ef3ebf37811df7e40721520909ba631f68217ccf3b5ebf36be71d8ca98a541067e3d1372050252e4a39e99179748e41d1a7e93305e7ec07bd2Immediately isolate the infected Linux system from the network to prevent further compromise or participation in attacks. Use updated security tools to remove the detected Mirai malware. Patch all system vulnerabilities, update firmware, and enforce strong, unique passwords for all accounts, especially default IoT credentials, to prevent re-infection and secure against future attacks. Monitor network traffic for any Mirai command-and-control activity.