Concrete signature match: Backdoor - Provides unauthorized remote access for Linux platform, family Mirai
Backdoor:Linux/Mirai.IM!MTB is a concrete detection of a Mirai variant targeting Linux systems. This threat operates as a backdoor, turning the compromised system into a bot to participate in denial-of-service (DDoS) attacks and potentially other malicious activities under remote control. Its detection leverages Microsoft's advanced behavioral analysis capabilities, indicating a high confidence in its malicious nature.
No specific strings found for this threat
rule Backdoor_Linux_Mirai_IM_2147911093_0
{
meta:
author = "threatcheck.sh"
detection_name = "Backdoor:Linux/Mirai.IM!MTB"
threat_id = "2147911093"
type = "Backdoor"
platform = "Linux: Linux platform"
family = "Mirai"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
threshold = "2"
strings_accuracy = "Low"
strings:
$x_1_1 = {80 a0 60 07 32 ?? ?? ?? 92 02 60 20 e4 02 60 1c e6 02 60 14 80 a4 80 19 ec 02 60 10 ea 02 60 08 18 ?? ?? ?? a8 10 00 12 10 ?? ?? ?? a8 10 00 19 c2 00 c0 00 83 28 60 05 82 00 80 01 80 a2 40 01} //weight: 1, accuracy: Low
$x_1_2 = {84 89 20 ff 02 ?? ?? ?? c6 0a 40 00 82 08 e0 ff 80 a0 80 01 22 ?? ?? ?? ?? 02 20 01 82 08 e0 ff 81 c3 e0 08 ?? 20 80 01 92 02 60 01 94 02 bf ff 80 a2 a0 00} //weight: 1, accuracy: Low
condition:
(filesize < 20MB) and
(all of ($x*))
}a85133310b6057a51b732e5807e5c5f8ae197548aaec0b3e7958934bd35069e4Immediately isolate the infected Linux system from the network. Perform a full system scan with updated antivirus definitions, remove all detected threats, and apply all pending security updates and patches. Change all system and service credentials, ensure strong firewall rules are in place, and monitor network traffic for any unusual outbound connections or activity indicative of C2 communication.