Trojan:Linux/StealthWorker.A!MTB - Windows Defender Threat Analysis

This detection identifies a Linux trojan from the StealthWorker family, designed to perform brute-force attacks against services like SSH, FTP, and web hosting panels. Its presence on a Windows system suggests the file is likely dormant but poses a significant risk if transferred to or executed within a Linux environment, such as WSL.

No specific strings found for this threat

rule Trojan_Linux_StealthWorker_A_2147832679_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Trojan:Linux/StealthWorker.A!MTB"
        threat_id = "2147832679"
        type = "Trojan"
        platform = "Linux: Linux platform"
        family = "StealthWorker"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
        threshold = "4"
        strings_accuracy = "High"
    strings:
        $x_1_1 = "WorkerSSH_brut.check_honeypot" ascii //weight: 1
        $x_1_2 = "WorkerSSH_brut.SaveGood" ascii //weight: 1
        $x_1_3 = "WorkerHtpasswd_check" ascii //weight: 1
        $x_1_4 = "WorkerWHM_brut" ascii //weight: 1
        $x_1_5 = "WorkerFTP_check" ascii //weight: 1
        $x_1_6 = "WorkerHtpasswd_brut" ascii //weight: 1
    condition:
        (filesize < 20MB) and
        (4 of ($x*))
}

1. Use your security software to quarantine and delete the detected file. 2. Investigate the file's origin (e.g., download, email, WSL instance) to understand the initial vector. 3. Perform a full system scan to check for any other related malicious components. 4. If the file was found on a network share or in WSL, investigate those environments for further signs of compromise.