Concrete signature match: Backdoor - Provides unauthorized remote access for Linux platform, family Mirai
This is a concrete detection of Backdoor:Linux/Mirai.HR!MTB, a variant of the notorious Mirai botnet specifically targeting Linux systems. This malware acts as a backdoor, granting remote control over the infected device, primarily to launch distributed denial-of-service (DDoS) attacks. Its detection leverages machine learning behavioral analysis (!MTB) to identify active malicious patterns.
No specific strings found for this threat
rule Backdoor_Linux_Mirai_HR_2147908273_0
{
meta:
author = "threatcheck.sh"
detection_name = "Backdoor:Linux/Mirai.HR!MTB"
threat_id = "2147908273"
type = "Backdoor"
platform = "Linux: Linux platform"
family = "Mirai"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
threshold = "2"
strings_accuracy = "Low"
strings:
$x_1_1 = {ff c9 83 f9 ff 74 ?? 48 63 d7 0f b6 06 41 3a 04 10 75 ?? ff c7 39 fb 75 ?? 66 ?? e9 ?? ?? ?? ?? 31 f6 bf 16 00 00 00} //weight: 1, accuracy: Low
$x_1_2 = {48 c7 44 24 38 00 00 00 00 0f ?? ?? ?? ?? ?? 66 c1 cd 08 66 89 6c 24 2a 44 0f b6 6c 24 27 45 85 ed 0f ?? ?? ?? ?? ?? 41 8d 45 ff 48 8b 6c 24 18 45 31 e4 48 ff c0 48 89 44 24 10} //weight: 1, accuracy: Low
condition:
(filesize < 20MB) and
(all of ($x*))
}80e2ffefac43ba12de92a71d3fb462576c6e13618faf4b1162198410a0f8f953Immediately isolate the compromised Linux system from the network. Employ an updated antivirus solution to scan and remove the Mirai malware, then thoroughly patch all system vulnerabilities and enforce strong, unique credentials. Implement network segmentation and egress filtering to prevent command-and-control communication and future infections.