Backdoor:Linux/Mirai.IW!MTB - Windows Defender Threat Analysis

This detection signifies a concrete finding of the Backdoor:Linux/Mirai.IW variant, a sophisticated malware that targets Linux-based systems, commonly IoT devices. It functions as a backdoor to establish remote access, enabling the infected device to be recruited into a botnet for large-scale Distributed Denial of Service (DDoS) attacks.

No specific strings found for this threat

rule Backdoor_Linux_Mirai_IW_2147914067_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Backdoor:Linux/Mirai.IW!MTB"
        threat_id = "2147914067"
        type = "Backdoor"
        platform = "Linux: Linux platform"
        family = "Mirai"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
        threshold = "2"
        strings_accuracy = "High"
    strings:
        $x_1_1 = {10 00 00 05 24 c6 ff ff 90 a2 00 00 24 a5 00 01 a0 82 00 00 24 84 00 01 24 02 ff ff 14 c2 ff fa 24 c6 ff ff 03 e0 00 08 00 00 00 00}  //weight: 1, accuracy: High
        $x_1_2 = {00 00 00 00 13 23 00 08 24 50 ff fc 03 20 f8 09 26 10 ff fc 8e 19 00 00 24 02 ff ff 8f bc 00 10 17 22 ff fa 00 00 00 00 8f bf 00 1c 8f b0 00 18 03 e0 00 08 27 bd 00 20}  //weight: 1, accuracy: High
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}

Immediately isolate affected Linux systems from the network to prevent further compromise and botnet activity. Thoroughly clean the device, which for IoT devices may involve a factory reset, or specialized malware removal for servers. Apply all available security patches, strengthen user credentials, disable unnecessary services, and implement network monitoring for Command and Control (C2) communications.