Tuesday, January 14, 2025
HomeCyber AttackMulti-Platform Malware "ACBackdoor" Attack Both Windows & Linux Users PC by Executing...

Multi-Platform Malware “ACBackdoor” Attack Both Windows & Linux Users PC by Executing Arbitrary Code

Published on

Researchers discovered a previously undetected multi-platform malware called ACbackdoor that has both Linux and Windows Variant to infect the respective users and steal sensitive information.

Dubbed ACbackdoor Linux variant has a completely no detection rate while the Windows variant has a higher detection rate than the Linux variant.

Researchers believe that the ACbackdoor variant is completely undocumented to the infosec community, and there is no evidence found that the malware associated with any known threat groups.

Malware has a variety of sophisticated features such as arbitrary execution of shell commands, arbitrary binary execution, persistence, and update capabilities.

Malware authors behind this campaign have previously experience targeting Linux systems, and now they turn out to attack the Windows users.

Also, the Linux variant has been written better than Windows in terms of persistence mechanism along with the different backdoor commands.

ACbackdoor Infection Process

Both Linux and Windows variant has a variety of similarities, for instances, both variants using the same protocol to communicate with the command & control server and minor implementation differences.

In the binary analysis, researchers found that the Linux binary is a statically linked ELF file, while the Windows binary is a dynamically linked PE file.

Linux variant infection activities found in the Romanian host server, but the infection process and the delivery were unclear.

Windows variant of ACbackdoor initially reported by @nao_sec via twitter, and the using a Fallout Exploit Kit as a delivery medium.

Backdoor Functionality

Unlike other Widows malware, the ACbackdoor Windows version doesn’t pose any complete functionality, but the Linux variant has a sophisticated feature in terms of the infection process.

After the complete infection, the Windows variant collecting architecture, system, and MAC address information by calling the correspondent Windows API functions.

“At the same time, Linux variant uses a different technique that mainly relies on uname system call to retrieve architecture and system information,  in addition to a combination of socket  / ioctl system calls to retrieve the MAC address, Intezer said via a blog post.

ACBackdoor
Similarities in code structure between ACBackdoor Linux and Windows

“The Windows instance will initialize a registry entry so that the malware will be executed on system start-up. The Linux instance will set up various symbolic links and add an initrd script for the malware to also run on system start-up.”

At the final stage, both variants using the same HTTPS protocol to communicate with the c2 server and share the collected information from victims.

These specific details along with the analysis above have led us to conclude that the authors behind ACBackdoor are more comfortable operating in Linux systems, while they may currently be experimenting in Windows by porting their malware to this system. Intezer Wrote.

Also Read: PureLocker Ransomware Attack Enterprise Production Servers and Encrypt Files in Windows, Linux, & macOS

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Google’s “Sign in with Google” Flaw Exposes Millions of Users’ Details

A critical flaw in Google's "Sign in with Google" authentication system has left millions...

Hackers Attacking Internet Connected Fortinet Firewalls Using Zero-Day Vulnerability

A widespread campaign targeting Fortinet FortiGate firewall devices with exposed management interfaces on the...

Critical macOS Vulnerability Lets Hackers to Bypass Apple’s System Integrity Protection

Microsoft Threat Intelligence has uncovered a critical macOS vulnerability that allowed attackers to bypass...

CISA Released A Free Guide to Enhance OT Product Security

To address rising cyber threats targeting critical infrastructure, the U.S. Cybersecurity and Infrastructure Security...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

RedCurl APT Deploys Malware via Windows Scheduled Tasks Exploitation

Researchers identified RedCurl APT group activity in Canada in late 2024, where the attackers...

Credit Card Skimmer Hits WordPress Checkout Pages, Stealing Payment Data

Researchers analyzed a new stealthy credit card skimmer that targets WordPress checkout pages by...

Hackers Exploiting YouTube to Spread Malware That Steals Browser Data

Malware actors leverage popular platforms like YouTube and social media to distribute fake installers....