DDoS:Linux/Gafgyt.YA!MTB - Windows Defender Threat Analysis

This threat is a variant of the Gafgyt malware, which targets Linux-based systems and IoT devices. It spreads by exploiting weak or default credentials, incorporating the compromised device into a botnet. The botnet is then used to conduct Distributed Denial of Service (DDoS) attacks.

No specific strings found for this threat

rule DDoS_Linux_Gafgyt_YA_2147741748_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "DDoS:Linux/Gafgyt.YA!MTB"
        threat_id = "2147741748"
        type = "DDoS"
        platform = "Linux: Linux platform"
        family = "Gafgyt"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
        threshold = "2"
        strings_accuracy = "Low"
    strings:
        $x_1_1 = {3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 [0-3] 2e [0-3] 2e [0-3] 2e}  //weight: 1, accuracy: Low
        $x_1_2 = "POST /ctrlt/DeviceUpgrade_1" ascii //weight: 1
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}

Isolate the affected device from the network immediately to prevent participation in DDoS attacks. Ensure the detected file has been removed and change all default or weak passwords on the system. Consider re-imaging the device from a known-good source to ensure complete removal.