Concrete signature match: Backdoor - Provides unauthorized remote access for Linux platform, family Gafgyt
This detection identifies a backdoor from the Gafgyt family, a well-known botnet that targets Linux-based and IoT devices. Once infected, the system is controlled by an attacker and used to launch Distributed Denial of Service (DDoS) attacks and scan for other vulnerable devices to propagate.
No specific strings found for this threat
rule Backdoor_Linux_Gafgyt_BK_2147818448_0
{
meta:
author = "threatcheck.sh"
detection_name = "Backdoor:Linux/Gafgyt.BK!MTB"
threat_id = "2147818448"
type = "Backdoor"
platform = "Linux: Linux platform"
family = "Gafgyt"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
threshold = "2"
strings_accuracy = "High"
strings:
$x_2_1 = {8b 45 e0 c1 e0 02 03 45 e0 01 c0 89 45 e0 8b 45 0c 0f b6 00 0f b6 c0 03 45 e0 83 e8 30 89 45 e0 ff 45 0c 8b 45 0c 0f b6 00 3c 2f 76 0a 8b 45 0c 0f b6 00 3c 39} //weight: 2, accuracy: High
condition:
(filesize < 20MB) and
(all of ($x*))
}53332790a6261e07d6148b92f49a89208fdc0fd2faceffd9a8e5d21988c838b8Isolate the compromised Linux device from the network immediately. Remove the detected malicious file and analyze system logs to identify the initial access vector. Change all user and administrative passwords, apply all available security patches, and disable any unnecessary services like Telnet to prevent reinfection.