Backdoor:Linux/Mirai.HQ!MTB - Windows Defender Threat Analysis

This detection identifies a backdoor from the Mirai malware family, a botnet that primarily infects Linux-based systems and IoT devices. The infected system is then controlled by a remote server and used to participate in large-scale Distributed Denial of Service (DDoS) attacks.

No specific strings found for this threat

rule Backdoor_Linux_Mirai_HQ_2147907547_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Backdoor:Linux/Mirai.HQ!MTB"
        threat_id = "2147907547"
        type = "Backdoor"
        platform = "Linux: Linux platform"
        family = "Mirai"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
        threshold = "5"
        strings_accuracy = "High"
    strings:
        $x_1_1 = {64 42 9f e5 00 00 a0 e3 02 19 a0 e3 7e ff ff eb 01 00 a0 e3 04 10 a0 e1 7b ff ff eb 04 10 a0 e1 02 00 a0 e3 78 ff ff eb 04 00 9d e5 3c 32 9f e5 00 20 90 e5 00 10 9d e5 03 20 81 e7 00 40 90 e5 00 00 54 e3 0d 00 00 0a 24 32 9f e5 03 30 91 e7 00 40 83 e5 2f 10 a0 e3}  //weight: 1, accuracy: High
        $x_4_2 = {5c 31 9f e5 00 10 9d e5 03 20 91 e7 02 30 a0 e1 00 00 53 e3 03 00 00 0a 0f e0 a0 e1 12 ff 2f e1 00 30 a0 e3 00 30 80 e5 10 00 8d e2 9c 00 00 eb 00 00 50 e3 12 00 00 1a a2 00 00 eb}  //weight: 4, accuracy: High
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}

Isolate the affected system from the network immediately to prevent command-and-control communication. Re-image the device from a trusted source or restore from a known-clean backup. Harden the system by changing all default credentials, disabling unnecessary services, and applying the latest security patches.