Concrete signature match: Backdoor - Provides unauthorized remote access for Linux platform, family Gafgyt
This is a concrete detection of Backdoor:Linux/Gafgyt.CW, a specific variant of the Gafgyt botnet malware. It primarily targets Linux systems, establishing a backdoor for unauthorized access and control, typically to incorporate the system into a botnet for Distributed Denial of Service (DDoS) attacks.
No specific strings found for this threat
rule Backdoor_Linux_Gafgyt_CW_2147827514_0
{
meta:
author = "threatcheck.sh"
detection_name = "Backdoor:Linux/Gafgyt.CW!MTB"
threat_id = "2147827514"
type = "Backdoor"
platform = "Linux: Linux platform"
family = "Gafgyt"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
threshold = "2"
strings_accuracy = "High"
strings:
$x_1_1 = {bf 00 2c af be 00 28 03 a0 f0 21 af bc 00 10 af c4 00 30 af c0 00 1c 8f c4 00 30 8f 99 81 78 00} //weight: 1, accuracy: High
$x_1_2 = {a2 00 18 8f c4 00 50 00 60 28 21 24 06 00 0a 24 07 00 01 8f 82 80 20 00 00} //weight: 1, accuracy: High
condition:
(filesize < 20MB) and
(all of ($x*))
}44cbe296b07c24f5d42e872cec62c2c4bd327031b8b40832aeacda1dd0e71051Immediately isolate the compromised Linux system. Perform a full system scan to remove the Gafgyt malware. Patch all operating system and software vulnerabilities, reset credentials for any potentially affected accounts, and review network logs for further compromise indicators. Enhance firewall rules to restrict outbound connections.