Concrete signature match: Trojan Downloader - Downloads additional malware for Linux platform, family Mirai
This detection identifies a 'TrojanDownloader:Linux/Mirai.E!MTB' threat, a variant of the Mirai botnet family targeting Linux systems. Its primary function is to download and execute additional malicious payloads, likely to integrate the compromised device into a larger botnet for launching Distributed Denial of Service (DDoS) attacks, identified through concrete behavioral machine learning analysis.
Relevant strings associated with this threat: - |#TEL (NID) - }#TEL (NID) - gq|#TEL (NID) - gq}#TEL (NID) - |#d1e49aac-8f56-4280-b9ba-993a6d77406c (NID) - }#d1e49aac-8f56-4280-b9ba-993a6d77406c (NID) - |#75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 (NID) - }#75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 (NID) - &|#b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 (NID) - &}#b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 (NID) - y*|#56a863a9-875e-4185-98a7-b882c64b5ce5 (NID) - y*}#56a863a9-875e-4185-98a7-b882c64b5ce5 (NID) - C|#be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 (NID) - C}#be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 (NID) - L|#3b576869-a4ec-4529-8536-b80a7769e899 (NID) - L}#3b576869-a4ec-4529-8536-b80a7769e899 (NID) - |#5beb7efe-fd9a-4556-801d-275e5ffc04cc (NID) - }#5beb7efe-fd9a-4556-801d-275e5ffc04cc (NID) - |#01443614-cd74-433a-b99e-2ecdc07bfc25 (NID) - }#01443614-cd74-433a-b99e-2ecdc07bfc25 (NID)
rule TrojanDownloader_Linux_Mirai_E_2147819356_0
{
meta:
author = "threatcheck.sh"
detection_name = "TrojanDownloader:Linux/Mirai.E!MTB"
threat_id = "2147819356"
type = "TrojanDownloader"
platform = "Linux: Linux platform"
family = "Mirai"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
threshold = "2"
strings_accuracy = "Low"
strings:
$x_1_1 = {0a 00 47 45 54 20 2f [0-32] 20 48 54 54 50 2f 31 2e 30 0d 0a} //weight: 1, accuracy: Low
$x_1_2 = {48 78 00 10 48 6e ff ee 2f 03 61 ff ff ff fe ?? 24 00 4f ef 00 0c 6c 22 48 78 00 ?? 48 79 80 00 03 ?? 48 78 00 01 61 ff ff ff fe ?? 44 82 2f 02 61 ff ff ff fe ?? 4f ef 00 10 45 ea 00 ?? 2f 0a 48 79 80 00 03 ?? 2f 03 61 ff ff ff fe ?? 4f ef 00 0c b5 c0 67 0c 48 78 00 03 61 ff ff ff fe ?? 58 8f} //weight: 1, accuracy: Low
condition:
(filesize < 20MB) and
(all of ($x*))
}f94b0f80e388a334966348b28425afc527d24be0f97eaa2015c89db70275ebd5Immediately isolate the compromised Linux device. Perform a full scan and remove the Mirai malware using updated security solutions. Enforce strong, unique credentials, patch all systems, disable unnecessary services, and implement network segmentation to prevent reinfection and contain potential botnet activity.