Backdoor:Linux/Mirai.JK!MTB - Windows Defender Threat Analysis

This is a concrete detection of Backdoor:Linux/Mirai.JK!MTB, a variant of the Mirai botnet family specifically targeting Linux systems. This malware gains unauthorized access to compromise devices, typically IoT, enlisting them into a botnet used for launching Distributed Denial of Service (DDoS) attacks and other malicious activities.

No specific strings found for this threat

rule Backdoor_Linux_Mirai_JK_2147784846_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Backdoor:Linux/Mirai.JK!MTB"
        threat_id = "2147784846"
        type = "Backdoor"
        platform = "Linux: Linux platform"
        family = "Mirai"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
        threshold = "2"
        strings_accuracy = "Low"
    strings:
        $x_1_1 = {8b 43 0c 8d 4c 18 1c 0f b7 51 10 01 c2 8b 41 08 89 53 0c 8b 51 0c 89 43 04 89 53 08}  //weight: 1, accuracy: High
        $x_1_2 = {57 56 53 8b 5c 24 10 8b 43 0c 3b 43 10 7c ?? be dc 00 00 00 8b 13 bf 00 08 00 00 8d 4b 1c 89 f0 e8 fb 03 00 00 83 f8 00 89 c7 7f ?? 7d ?? 83 f8 fe 74 ?? e8 b8 01 00 00 f7 df 89 38}  //weight: 1, accuracy: Low
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}

Immediately isolate the infected Linux system from the network to prevent further compromise or participation in attacks. Utilize up-to-date endpoint detection and response (EDR) or anti-malware solutions for thorough scanning and removal of the threat; if remediation fails, a full re-image to a trusted state is recommended. Identify and patch any underlying vulnerabilities that allowed the compromise, change all default or compromised credentials, and enforce strong network segmentation.