Backdoor:Linux/Gafgyt.BS!xp - Windows Defender Threat Analysis

Backdoor:Linux/Gafgyt.BS!xp is a variant of the Gafgyt botnet malware targeting Linux-based systems, including servers and IoT devices. It compromises the device, incorporating it into a botnet to launch Distributed Denial-of-Service (DDoS) attacks and allowing a remote attacker to execute commands.

No specific strings found for this threat

rule Backdoor_Linux_Gafgyt_BS_2147819149_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Backdoor:Linux/Gafgyt.BS!xp"
        threat_id = "2147819149"
        type = "Backdoor"
        platform = "Linux: Linux platform"
        family = "Gafgyt"
        severity = "Critical"
        info = "xp: an internal category used to refer to some threats"
        signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
        threshold = "2"
        strings_accuracy = "High"
    strings:
        $x_1_1 = {a0 00 0b e5 a4 10 0b e5 a8 20 0b e5 ac 30 0b e5 00 30 a0 e3 9c 30 0b e5 a4 30 1b e5 98 30 0b e5 94 30 4b e2 10 30 0b e5 00 30 a0 e3 14 30 0b e5 06 00 00}  //weight: 1, accuracy: High
        $x_1_2 = {30 9f e5 00 10 93 e5 20 20 1b e5 24 30 1b e5 02}  //weight: 1, accuracy: High
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}

Immediately isolate the affected system from the network to prevent further malicious activity. Remove the detected file and conduct a full system scan. Investigate the initial access vector, change all credentials, and apply all available security patches to prevent reinfection.