Backdoor:Linux/Gafgyt.CD!xp - Windows Defender Threat Analysis

This detection identifies a variant of the Gafgyt malware family, a botnet that primarily targets Linux-based systems and IoT devices. It acts as a backdoor, allowing a remote attacker to gain control of the compromised device and incorporate it into a botnet for launching Distributed Denial-of-Service (DDoS) attacks.

No specific strings found for this threat

rule Backdoor_Linux_Gafgyt_CD_2147820428_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Backdoor:Linux/Gafgyt.CD!xp"
        threat_id = "2147820428"
        type = "Backdoor"
        platform = "Linux: Linux platform"
        family = "Gafgyt"
        severity = "Critical"
        info = "xp: an internal category used to refer to some threats"
        signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
        threshold = "2"
        strings_accuracy = "High"
    strings:
        $x_1_1 = {20 9f e5 04 30 82 e5 14 30 1b e5 3d 34 83 e2 91 38 43 e2 32 3d 43 e2 0e 30 43 e2 74 20 9f e5 08 30 82 e5 03}  //weight: 1, accuracy: High
        $x_1_2 = {30 83 e2 18 30 0b e5 00 30 a0 e3 28 30 0b e5 28 20 1b e5 2c 20 0b e5 18 30 1b e5 00 30 d3 e5 00 00 53 e3}  //weight: 1, accuracy: High
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}

Isolate the affected device from the network immediately to prevent it from participating in attacks. Remove the detected malicious file. Harden the device by changing all default or weak credentials to strong, unique passwords, disabling unnecessary services like Telnet, and applying the latest security patches or firmware updates from the vendor.