Trojan:Linux/MsfShellBin.A - Windows Defender Threat Analysis

Trojan:Linux/MsfShellBin.A is a critical Linux Trojan detected by concrete signatures, indicating a high confidence threat. This malware is likely a Metasploit-generated shellcode or a binder designed to establish remote access, typically by executing a shell like `/bin/sh`, granting an attacker control over the compromised system.

No specific strings found for this threat

rule Trojan_Linux_MsfShellBin_A_2147794796_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Trojan:Linux/MsfShellBin.A"
        threat_id = "2147794796"
        type = "Trojan"
        platform = "Linux: Linux platform"
        family = "MsfShellBin"
        severity = "Critical"
        signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
        threshold = "1"
        strings_accuracy = "High"
    strings:
        $x_1_1 = {48 bb 2f 62 69 6e 2f 73 68 00 53 48 89 e7 52 57 48 89 e6 0f 05}  //weight: 1, accuracy: High
        $x_1_2 = {6a 3c 58 6a 01 5f 0f 05 5e 6a 26 5a 0f 05 48 85 c0 78 ed ff e6}  //weight: 1, accuracy: High
        $x_1_3 = {0f 05 48 96 6a 2b 58 0f 05 50 56 5f 6a 09 58 99 b6 10 48 89 d6 4d 31 c9 6a 22 41 5a b2 07 0f 05 48 96 48 97 5f 0f 05 ff e6}  //weight: 1, accuracy: High
    condition:
        (filesize < 20MB) and
        (1 of ($x*))
}

Isolate the compromised Linux system immediately, terminate any malicious processes, and remove the detected malware file. Conduct a full system scan with updated security software, review system logs for signs of further compromise, and apply all necessary security patches. Implement or reinforce host-based firewalls and network segmentation.