Backdoor:Linux/Mirai.HH!MTB - Windows Defender Threat Analysis

This detection identifies a variant of the Mirai botnet, specifically Backdoor:Linux/Mirai.HH, on a Linux platform. This malware typically compromises IoT devices to establish a botnet, enabling distributed denial-of-service (DDoS) attacks and other malicious activities, and is detected via machine learning behavioral analysis (!MTB).

No specific strings found for this threat

rule Backdoor_Linux_Mirai_HH_2147910130_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Backdoor:Linux/Mirai.HH!MTB"
        threat_id = "2147910130"
        type = "Backdoor"
        platform = "Linux: Linux platform"
        family = "Mirai"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
        threshold = "2"
        strings_accuracy = "Low"
    strings:
        $x_1_1 = {3c 40 1b e5 01 00 74 e3 03 01 00 0a 02 00 54 e3 02 30 e0 03 26 ?? ?? ?? 04 00 54 e3 00 30 a0 13 01 30 a0 03}  //weight: 1, accuracy: Low
        $x_1_2 = {84 40 a0 e1 06 30 84 e2 03 30 c3 e3 0d d0 63 e0 38 c0 4b e2 04 c0 8d e5 07 00 a0 e1 3c c0 4b e2 02 10 a0 e3 60 20 4b e2 10 30 8d e2 08 c0 8d e5 00 40 8d e5 9a 03 00 eb 22 00 50 e3 03 ?? ?? ?? 3c 30 1b e5 01 00 73 e3}  //weight: 1, accuracy: Low
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}

Immediately isolate the compromised Linux system. Employ an updated antivirus solution to scan and remove Backdoor:Linux/Mirai.HH, then enforce strong, unique credentials and patch any underlying vulnerabilities. Monitor network traffic for unusual command-and-control communications.