Backdoor:Linux/Gafgyt.A!MTB - Windows Defender Threat Analysis

This detection identifies Backdoor:Linux/Gafgyt.A, a Linux-based Gafgyt botnet variant primarily used for Distributed Denial of Service (DDoS) attacks. The malware establishes remote control, enabling it to execute commands such as 'KILLALL' and participate in various flood attacks, likely communicating with attacker infrastructure indicated by strings like 'dayzddos.co'.

Relevant strings associated with this threat:
 - |#d1e49aac-8f56-4280-b9ba-993a6d77406c (NID)
 - }#d1e49aac-8f56-4280-b9ba-993a6d77406c (NID)
 - &|#b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 (NID)
 - &}#b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 (NID)
 - y*|#56a863a9-875e-4185-98a7-b882c64b5ce5 (NID)
 - y*}#56a863a9-875e-4185-98a7-b882c64b5ce5 (NID)
 - C|#be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 (NID)
 - C}#be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 (NID)
 - L|#3b576869-a4ec-4529-8536-b80a7769e899 (NID)
 - L}#3b576869-a4ec-4529-8536-b80a7769e899 (NID)
 - |#5beb7efe-fd9a-4556-801d-275e5ffc04cc (NID)
 - }#5beb7efe-fd9a-4556-801d-275e5ffc04cc (NID)
 - |#01443614-cd74-433a-b99e-2ecdc07bfc25 (NID)
 - }#01443614-cd74-433a-b99e-2ecdc07bfc25 (NID)
 - |#d3e037e1-3eb8-44c8-a917-57927947596d (NID)
 - }#d3e037e1-3eb8-44c8-a917-57927947596d (NID)
 - |#7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c (NID)
 - }#7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c (NID)
 - |#92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b (NID)
 - }#92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b (NID)

rule Backdoor_Linux_Gafgyt_A_2147755852_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Backdoor:Linux/Gafgyt.A!MTB"
        threat_id = "2147755852"
        type = "Backdoor"
        platform = "Linux: Linux platform"
        family = "Gafgyt"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
        threshold = "4"
        strings_accuracy = "High"
    strings:
        $x_1_1 = "/x54/x53/x6f/x75/x72/x63/x65/x20/x45/x6e/x67/x69/x6e/x65/x20/x51/x75/x65/x72/x79" ascii //weight: 1
        $x_1_2 = "KILLALL" ascii //weight: 1
        $x_1_3 = "botname:" ascii //weight: 1
        $x_2_4 = "dayzddos.co" ascii //weight: 2
        $x_1_5 = "vseattack" ascii //weight: 1
        $x_1_6 = "stdhexflood" ascii //weight: 1
        $x_1_7 = "lololololol" ascii //weight: 1
    condition:
        (filesize < 20MB) and
        (
            ((4 of ($x_1_*))) or
            ((1 of ($x_2_*) and 2 of ($x_1_*))) or
            (all of ($x*))
        )
}

Immediately isolate the affected Linux system from the network. Use updated security software to scan for and remove the Gafgyt malware. Subsequently, patch all system vulnerabilities, update credentials for all accounts on the compromised system, and implement network segmentation and egress filtering to block potential command-and-control (C2) communications.