Trojan:Linux/Pupy.B!MTB - Windows Defender Threat Analysis

This is a Linux-based Pupy family Trojan, a known open-source remote access tool (RAT). It was detected via machine learning behavioral analysis, indicating suspicious activities consistent with an attacker attempting to gain remote control, execute commands, and potentially exfiltrate data from the compromised system.

No specific strings found for this threat

rule Trojan_Linux_Pupy_B_2147821036_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Trojan:Linux/Pupy.B!MTB"
        threat_id = "2147821036"
        type = "Trojan"
        platform = "Linux: Linux platform"
        family = "Pupy"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
        threshold = "2"
        strings_accuracy = "Low"
    strings:
        $x_1_1 = {8a 01 3c 09 0f 94 c2 3c 20 0f 94 c0 08 c2 75 ?? 48 89 e0 45 31 c9 c6 84 24 00 11 00 00 00 48 8d 14 38 29 d6 44 8d 04 0e 49 63 d0 48 8d 3c 10}  //weight: 1, accuracy: Low
        $x_1_2 = {88 8c 3c 90 21 00 00 48 ff c7 8a 0e 48 ff c6 80 f9 09 0f 95 c2 80 f9 20 0f 95 c0 84 d0 75 e1 41 8d 34 38 48 63 c7 c6 84 04 90 21 00 00 00 48 63 fe 48 8d 0c 3c eb 03}  //weight: 1, accuracy: High
        $x_1_3 = {48 83 ca ff 48 89 c6 31 c0 fc 48 89 d1 48 89 f7 89 d5 f2 ae 48 f7 d1 48 01 d1 49 39 cf 0f 82 [0-5] 4c 89 f7 e8 [0-5] 4c 89 f7 e8 [0-5] 85 c0 89 c5}  //weight: 1, accuracy: Low
    condition:
        (filesize < 20MB) and
        (2 of ($x*))
}

Immediately isolate the affected Linux system from the network, perform a comprehensive scan with an updated EDR solution, and analyze system logs for further malicious activity. Reset all credentials associated with the compromised system and ensure all system patches are up-to-date to address potential vulnerabilities.