Backdoor:Linux/Mirai.HI!MTB - Windows Defender Threat Analysis

This is a concrete detection of Backdoor:Linux/Mirai.HI!MTB, a variant of the well-known Mirai botnet targeting Linux systems. It establishes a backdoor, providing attackers with remote control to enroll the compromised device into a botnet for launching DDoS attacks or other malicious activities, identified through specific binary patterns and behavioral analysis.

No specific strings found for this threat

rule Backdoor_Linux_Mirai_HI_2147913428_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Backdoor:Linux/Mirai.HI!MTB"
        threat_id = "2147913428"
        type = "Backdoor"
        platform = "Linux: Linux platform"
        family = "Mirai"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
        threshold = "2"
        strings_accuracy = "High"
    strings:
        $x_1_1 = {00 80 28 21 03 20 30 21 00 a0 20 21 24 02 0f cd 00 00 00 0c 8f 83 81 a8 00 45 28 2b 00 00 20 21 10 a0 00 08 ac 62 00 00 00 c0 c8 21 03 20 f8 09 00 00 00 00 24 03 00 0c 8f bc 00 10 24 04 ff ff ac 43 00 00 8f bf 00 18 00 80 10 21 03 e0 00 08 27 bd 00 20}  //weight: 1, accuracy: High
        $x_1_2 = {24 e8 ff d0 29 02 01 00 10 40 00 24 24 84 00 01 80 86 00 00 00 08 18 c0 00 08 10 40 00 43 10 21 00 06 18 40 00 69 18 21 94 63 00 00 00 46 38 21 30 62 00 08 14 40 ff f2 29 42 00 04 10 40 00 05 00 00 00 00 14 cc 00 15 24 84 00 01 10 00 00 07 00 0b 12 00}  //weight: 1, accuracy: High
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}

Immediately isolate the infected Linux system from the network. Perform a clean reinstallation of the operating system or a thorough malware removal. Ensure all software, firmware, and security patches are up to date to address exploited vulnerabilities, and change all weak or default credentials, particularly for root and administrative accounts.