Concrete signature match: Trojan - Appears legitimate but performs malicious actions for Linux platform, family Mirai
Trojan:Linux/Mirai.W!MTB is a concrete detection for a Mirai botnet variant targeting Linux-based IoT devices. This malware infects vulnerable devices, recruiting them into a botnet primarily used for launching distributed denial-of-service (DDoS) attacks.
No specific strings found for this threat
rule Trojan_Linux_Mirai_W_2147831779_0
{
meta:
author = "threatcheck.sh"
detection_name = "Trojan:Linux/Mirai.W!MTB"
threat_id = "2147831779"
type = "Trojan"
platform = "Linux: Linux platform"
family = "Mirai"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
threshold = "2"
strings_accuracy = "High"
strings:
$x_1_1 = {f4 13 02 b0 61 6a f4 1b c0 b0 60 8a f0 13 02 b0 40 22 44 00 f0 1b 00 b1 40 8a 50 73 05 f2} //weight: 1, accuracy: High
$x_1_2 = {f8 13 02 b0 ab e2 0a f4 e4 13 02 b0 61 6a e4 1b c0 b0 40 8a f8 1b 80 b0} //weight: 1, accuracy: High
condition:
(filesize < 20MB) and
(all of ($x*))
}b9373f4df561e2be8ec80117331d22d9efd546c9d51865b66743a69c77ce8121773fcfca925a9d6b311fc3f8d6f817b293ab7fce9b4371e9f18020f69be1a45cc03ede7e951f77ca81a3fce968217b754770b94c69eaca324ac20fb70d8f935be62f5f056ac1474142e2c89c7456d1db915de656750df58398de554033a4d3bbf77b502820be9ed053e789187999efaa986ea391fa4124e765c59f821b32fa7cImmediately isolate the compromised Linux device(s) from the network. Remove the detected malware and patch any underlying vulnerabilities (e.g., weak/default credentials, unpatched software) to prevent re-infection. Implement strong password policies and network segmentation, and continuously monitor for suspicious network traffic.