Backdoor:Linux/Mirai.HX!MTB - Windows Defender Threat Analysis

This is a concrete detection of a Mirai malware variant, specifically 'Mirai.HX', targeting Linux systems. It functions as a backdoor, granting unauthorized remote access and control over the compromised device. The primary objective is likely to enroll the system into a botnet for launching Distributed Denial of Service (DDoS) attacks.

No specific strings found for this threat

rule Backdoor_Linux_Mirai_HX_2147909857_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Backdoor:Linux/Mirai.HX!MTB"
        threat_id = "2147909857"
        type = "Backdoor"
        platform = "Linux: Linux platform"
        family = "Mirai"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
        threshold = "4"
        strings_accuracy = "High"
    strings:
        $x_1_1 = {85 2c 20 08 a0 10 80 01 03 03 42 83 82 10 61 0a 80 a4 00 01 12 bf ff f2 92 07 bf f7}  //weight: 1, accuracy: High
        $x_1_2 = {90 10 00 11 92 10 00 10 7f ff ff 94 94 10 20 80 80 a2 20 00 04 80 00 07 94 10 00 08}  //weight: 1, accuracy: High
        $x_1_3 = {94 10 20 01 7f ff ff a6 90 10 00 11 80 a2 20 01 02 80 00 05 c2 4f bf f7}  //weight: 1, accuracy: High
        $x_1_4 = {92 07 bf e4 7f ff ff ad 94 10 20 10 a0 92 20 00 36 80 00 0a}  //weight: 1, accuracy: High
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}

Immediately isolate the affected Linux system from the network. Conduct a thorough full system scan using an updated antivirus or EDR solution to remove the Mirai backdoor. Change all system and service credentials, and apply all available security patches to prevent re-infection and mitigate exploited vulnerabilities.