Concrete signature match: Backdoor - Provides unauthorized remote access for Linux platform, family Mirai
This detection identifies a specific variant (JL) of the Mirai botnet targeting Linux systems, using both concrete signatures and machine learning behavioral analysis (!MTB). Mirai malware is known for compromising IoT devices and Linux servers, turning them into bots for launching large-scale Distributed Denial of Service (DDoS) attacks, often coupled with backdoor capabilities for remote access and control.
No specific strings found for this threat
rule Backdoor_Linux_Mirai_JL_2147919522_0
{
meta:
author = "threatcheck.sh"
detection_name = "Backdoor:Linux/Mirai.JL!MTB"
threat_id = "2147919522"
type = "Backdoor"
platform = "Linux: Linux platform"
family = "Mirai"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
threshold = "2"
strings_accuracy = "Low"
strings:
$x_1_1 = {00 54 28 21 00 53 20 21 02 15 10 2a 02 40 30 21 24 07 40 00 10 ?? ?? ?? 26 10 00 01 8c 84 00 00 8c a5 00 00 02 20 c8 21 03 20 f8 09 00 00 00 00 8f bc 00 10 10 ?? ?? ?? 00 10 10 80} //weight: 1, accuracy: Low
$x_1_2 = {30 c3 00 ff 24 62 ff d0 30 42 00 ff 2c 42 00 0a 14 ?? ?? ?? 24 62 ff bf 30 42 00 ff 2c 42 00 1a 10 ?? ?? ?? 24 62 ff 9f 24 02 00 37 10 ?? ?? ?? 00 c2 18 23} //weight: 1, accuracy: Low
condition:
(filesize < 20MB) and
(all of ($x*))
}b1ad8f75d8ca1ed287e2e191fc613b1a7bb60dee51b59384ecbd750c84dff7deImmediately isolate the infected Linux system from the network to prevent further compromise and botnet activity. Perform a full system scan with updated security software to identify and eradicate the Mirai malware. Investigate the initial compromise vector, which often includes weak credentials (e.g., default IoT passwords) or unpatched vulnerabilities, and then apply necessary security patches, strengthen password policies, and disable unnecessary services to prevent re-infection.