Concrete signature match: Backdoor - Provides unauthorized remote access for Linux platform, family Gafgyt
This is a critical Linux-based Gafgyt botnet variant, identified through concrete signatures and behavioral analysis. It establishes a backdoor, communicates with a hardcoded command-and-control server (64.225.125.105:6969), and possesses capabilities to launch various Distributed Denial of Service (DDoS) attacks, including UDP floods and HTTP STOMP.
No specific strings found for this threat
rule Backdoor_Linux_Gafgyt_AI_2147767628_0
{
meta:
author = "threatcheck.sh"
detection_name = "Backdoor:Linux/Gafgyt.AI!MTB"
threat_id = "2147767628"
type = "Backdoor"
platform = "Linux: Linux platform"
family = "Gafgyt"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
threshold = "5"
strings_accuracy = "High"
strings:
$x_1_1 = "SendHTTPHex" ascii //weight: 1
$x_1_2 = "udpfl00d" ascii //weight: 1
$x_1_3 = "OVHKILL" ascii //weight: 1
$x_1_4 = "NFOKILL" ascii //weight: 1
$x_1_5 = "HTTPSTOMP" ascii //weight: 1
$x_2_6 = "64.225.125.105:6969" ascii //weight: 2
$x_2_7 = "vseattack" ascii //weight: 2
$x_2_8 = "Self Rep Fucking NeTiS and Thisity 0n Ur FuCkInG FoReHeAd We BiG L33T HaxErS" ascii //weight: 2
condition:
(filesize < 20MB) and
(
((5 of ($x_1_*))) or
((1 of ($x_2_*) and 3 of ($x_1_*))) or
((2 of ($x_2_*) and 1 of ($x_1_*))) or
((3 of ($x_2_*))) or
(all of ($x*))
)
}c1c4f1c5aac0226e55dc5a531b7a5072a387ddcb0366278f719aa44701e22435Immediately isolate the compromised Linux system, remove the detected malware, and block the identified C2 IP address (64.225.125.105) at the network perimeter. Conduct a full forensic analysis to identify persistence mechanisms, lateral movement, and other potentially compromised systems. Ensure all Linux systems are fully patched and secure.