Backdoor:Linux/Gafgyt.JJ - Windows Defender Threat Analysis

Backdoor:Linux/Gafgyt.JJ is a concrete detection of a Gafgyt family variant targeting Linux systems. This backdoor provides remote access and control, typically used to enroll compromised devices into a botnet for distributed denial-of-service (DDoS) attacks.

No specific strings found for this threat

rule Backdoor_Linux_Gafgyt_JJ_2147829081_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Backdoor:Linux/Gafgyt.JJ"
        threat_id = "2147829081"
        type = "Backdoor"
        platform = "Linux: Linux platform"
        family = "Gafgyt"
        severity = "Critical"
        signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
        threshold = "2"
        strings_accuracy = "Low"
    strings:
        $x_1_1 = {37 9e 02 3c b9 79 42 34 21 18 62 00 18 80 82 8f 00 00 00 00 [0-2] 42 24 04 00 43 ac 18 00 c3 8f 6e 3c 02 3c 72 f3 42 34}  //weight: 1, accuracy: Low
        $x_1_2 = {3c 02 9e 37 34 42 79 b9 00 62 18 21 8f 82 80 18 00 00 00 00 24 42 [0-2] ac 43 00 04 8f c3 00 18 3c 02 3c 6e 34 42 f3 72}  //weight: 1, accuracy: Low
        $x_1_3 = {26 18 a2 00 08 00 c2 8f 00 00 00 00 26 18 62 00 37 9e 02 3c b9 79 42 34 26 20 62 00}  //weight: 1, accuracy: High
        $x_1_4 = {00 a2 18 26 8f c2 00 08 00 00 00 00 00 62 18 26 3c 02 9e 37 34 42 79 b9 00 62 20 26}  //weight: 1, accuracy: High
    condition:
        (filesize < 20MB) and
        (2 of ($x*))
}

Immediately isolate the compromised Linux system. Remove the detected malware and perform a comprehensive system scan for additional malicious artifacts or persistence mechanisms. Change all system credentials, patch any exploited vulnerabilities, and reinforce network security measures to prevent future infections.