Backdoor:Linux/Mirai.IJ!MTB - Windows Defender Threat Analysis

This detection indicates a Linux system is infected with a Mirai variant, a notorious malware family known for creating botnets. This specific variant operates as a backdoor, allowing attackers remote control over the compromised device, typically to launch Distributed Denial-of-Service (DDoS) attacks.

No specific strings found for this threat

rule Backdoor_Linux_Mirai_IJ_2147908710_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Backdoor:Linux/Mirai.IJ!MTB"
        threat_id = "2147908710"
        type = "Backdoor"
        platform = "Linux: Linux platform"
        family = "Mirai"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
        threshold = "2"
        strings_accuracy = "Low"
    strings:
        $x_1_1 = {00 00 51 e3 01 10 41 e2 0f ?? ?? ?? 01 c0 d0 e4 41 30 4c e2 19 00 53 e3 02 30 d4 e7 41 e0 43 e2 60 c0 8c 93 19 00 5e e3 60 30 83 93 03 00 5c e1 00 20 a0 13 f1 ?? ?? ?? 01 20 82 e2 02 00 55 e1 ee ?? ?? ?? 00 00 66 e0 70 80 bd e8}  //weight: 1, accuracy: Low
        $x_1_2 = {01 30 cc e7 00 20 9e e5 02 30 dc e7 03 30 25 e0 02 30 cc e7 00 10 9e e5 01 30 dc e7 03 30 24 e0 01 30 cc e7 04 20 de e5 01 30 d7 e5 01 c0 8c e2 03 24 82 e1 0c 00 52 e1 e9 ?? ?? ?? f0 80 bd e8}  //weight: 1, accuracy: Low
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}

Immediately isolate the infected Linux system from the network to prevent further compromise and botnet participation. Reboot the device to potentially remove the in-memory malware, then change all default and weak credentials. Patch all system vulnerabilities and update firmware, and implement network segmentation to restrict unauthorized access.