Backdoor:Linux/Gafgyt.AZ!xp - Windows Defender Threat Analysis

Backdoor:Linux/Gafgyt.AZ!xp is a variant of the Gafgyt malware family that targets Linux-based systems, often IoT devices. The malware incorporates the compromised device into a botnet to participate in Distributed Denial-of-Service (DDoS) attacks. It also contains functionality to find and terminate other processes, likely to remove competing malware or security tools.

No specific strings found for this threat

rule Backdoor_Linux_Gafgyt_AZ_2147817555_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Backdoor:Linux/Gafgyt.AZ!xp"
        threat_id = "2147817555"
        type = "Backdoor"
        platform = "Linux: Linux platform"
        family = "Gafgyt"
        severity = "Critical"
        info = "xp: an internal category used to refer to some threats"
        signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
        threshold = "3"
        strings_accuracy = "High"
    strings:
        $x_1_1 = "wkUxzvutsrqp_nm-ihgfFCcba" ascii //weight: 1
        $x_1_2 = "sending kill request" ascii //weight: 1
        $x_1_3 = "[killer] finding and killing processes holding port" ascii //weight: 1
        $x_1_4 = "[attack] starting attack" ascii //weight: 1
        $x_1_5 = "/proc/cpuinfo" ascii //weight: 1
        $x_1_6 = "npxXoudifFeEgGaACScs" ascii //weight: 1
    condition:
        (filesize < 20MB) and
        (3 of ($x*))
}

1. Isolate the affected Linux device from the network. 2. Identify and remove the malicious file and its persistence mechanisms (e.g., cron jobs, startup scripts). 3. Re-image the device from a known-good backup and change all credentials. 4. Investigate and patch the initial point of compromise, such as weak passwords or unpatched services.