Backdoor:Linux/Mirai.LG!MTB

user@threatcheck.sh ~ threat-analysis

bash

$ analyze-threat Backdoor:Linux/Mirai.LG!MTB

Backdoor:Linux/Mirai.LG!MTB - Windows Defender threat signature analysis

$ cat analysis.txt

=== THREAT ANALYSIS REPORT ===

Threat Name: Backdoor:Linux/Mirai.LG!MTB

Classification:

Type:Backdoor

Platform:Linux

Family:Mirai

Detection Type:Concrete

Known malware family with identified signatures

Variant:LG

Specific signature variant within the malware family

Suffix:!MTB

Detected via machine learning and behavioral analysis

Detection Method:Behavioral

Confidence:Very High

False-Positive Risk:Low

Concrete signature match: Backdoor - Provides unauthorized remote access for Linux platform, family Mirai

Summary:

This detection identifies a component of the Mirai botnet malware, which targets Linux-based systems and IoT devices. The malware functions as a backdoor, allowing an attacker to control the infected device and use it in coordinated Distributed Denial-of-Service (DDoS) attacks. Its presence on a Windows system may indicate a compromised WSL instance or that the machine is being used to stage the threat.

Severity:

Medium

VDM Static Detection:

No specific strings found for this threat

YARA Rule:

rule Backdoor_Linux_Mirai_LG_2147947519_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Backdoor:Linux/Mirai.LG!MTB"
        threat_id = "2147947519"
        type = "Backdoor"
        platform = "Linux: Linux platform"
        family = "Mirai"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
        threshold = "3"
        strings_accuracy = "High"
    strings:
        $x_1_1 = "Server: DOSarrest" ascii //weight: 1
        $x_1_2 = "tmp/.instance_lock" ascii //weight: 1
        $x_1_3 = "ftpget -v -u anonymous" ascii //weight: 1
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}

Known malware which is associated with this threat:

Filename: morte.x86_64

484c03a2acf71b65409bd540cad117361e31b50e243ebd56244ee6e90e741ccf

07/12/2025

→VirusTotal ↓Download Sample

9b9dbb95ba9e39c1706de99639adffa83a9cd25d33932218fc728f2578848950

09/11/2025

→VirusTotal ↓Download Sample

c5f329b6c92027aa18f2055d5893c483f26ec6ece96a3ca65c5e24d55324e2cf

09/11/2025

→VirusTotal ↓Download Sample

4ba70027fdfa176f4ce98a9b46e31070ac40738b0a9ef7f12fcbc126b806d47b

09/11/2025

→VirusTotal ↓Download Sample

f67f3289b85d0e32cc684daef675b73790f1a38c6772ec30d85f6429135d39ec

08/11/2025

→VirusTotal ↓Download Sample

Remediation Steps:

1. Isolate the affected machine from the network. 2. Ensure Windows Defender has quarantined or removed the malicious file. 3. Investigate the source of the file, checking for compromised WSL instances or network shares. 4. Change all default credentials on network-connected Linux devices and IoT hardware and ensure they are fully patched.

=== END REPORT ===

$ reanalyze-threat

This analysis was last updated on 08/11/2025. Do you want to analyze it again?

$ ls available-commands/

→ cd /home

user@threatcheck.sh:~$ ▊

Backdoor:Linux/Mirai.LG!MTB - Windows Defender Threat Analysis