Backdoor:Linux/Gafgyt.BI!MTB - Windows Defender Threat Analysis

This threat is a backdoor from the Gafgyt malware family, which targets Linux systems and IoT devices. It is designed to add the compromised device to a botnet for use in Distributed Denial-of-Service (DDoS) attacks. The '!MTB' suffix indicates detection by a machine learning behavioral model, identifying activity consistent with this malware.

No specific strings found for this threat

rule Backdoor_Linux_Gafgyt_BI_2147818541_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Backdoor:Linux/Gafgyt.BI!MTB"
        threat_id = "2147818541"
        type = "Backdoor"
        platform = "Linux: Linux platform"
        family = "Gafgyt"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
        threshold = "2"
        strings_accuracy = "Low"
    strings:
        $x_1_1 = {8b 45 0c 8a 00 25 ff 00 00 00 83 ec 08 50 ff 75 08 e8 [0-5] 83 c4 10 ff 45 f0 ff 45 0c 8b 45 0c 8a 00 84 c0}  //weight: 1, accuracy: Low
        $x_1_2 = {83 ec 08 ff 75 f4 ff 75 08 e8 [0-5] 83 c4 10 ff 45 f0 ff 4d 10 83 7d 10 00 7f [0-3] 8b 45 f0 c9 c3}  //weight: 1, accuracy: Low
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}

Isolate the compromised system from the network immediately. Identify and delete the malicious file and terminate any related processes. Change all credentials, remove any persistence mechanisms (e.g., cron jobs, startup scripts), and apply all available security patches to prevent reinfection.