Backdoor:Linux/Gafgyt.L!xp - Windows Defender Threat Analysis

This threat is a variant of the Gafgyt botnet malware, specifically targeting Linux-based systems, often IoT devices. It functions as a backdoor, allowing a remote attacker to control the infected device. Its primary purpose is to launch Distributed Denial of Service (DDoS) attacks and spread to other vulnerable systems.

No specific strings found for this threat

rule Backdoor_Linux_Gafgyt_L_2147793957_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Backdoor:Linux/Gafgyt.L!xp"
        threat_id = "2147793957"
        type = "Backdoor"
        platform = "Linux: Linux platform"
        family = "Gafgyt"
        severity = "Critical"
        info = "xp: an internal category used to refer to some threats"
        signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
        threshold = "3"
        strings_accuracy = "High"
    strings:
        $x_1_1 = "attack_parsing" ascii //weight: 1
        $x_1_2 = "scanner_kill" ascii //weight: 1
        $x_1_3 = "killer_kill_by_cmdline" ascii //weight: 1
        $x_1_4 = "tcpbypass" ascii //weight: 1
        $x_1_5 = "udpbypass" ascii //weight: 1
        $x_1_6 = "scanner_pause_process" ascii //weight: 1
    condition:
        (filesize < 20MB) and
        (3 of ($x*))
}

Immediately isolate the affected Linux device from the network to prevent further spread or participation in attacks. Identify and terminate the malicious process, then delete the detected file. Change all credentials on the compromised host and consider reimaging the system or performing a factory reset for IoT devices.