Thursday, March 28, 2024

Multi-Platform Malware “ACBackdoor” Attack Both Windows & Linux Users PC by Executing Arbitrary Code

Researchers discovered a previously undetected multi-platform malware called ACbackdoor that has both Linux and Windows Variant to infect the respective users and steal sensitive information.

Dubbed ACbackdoor Linux variant has a completely no detection rate while the Windows variant has a higher detection rate than the Linux variant.

Researchers believe that the ACbackdoor variant is completely undocumented to the infosec community, and there is no evidence found that the malware associated with any known threat groups.

Malware has a variety of sophisticated features such as arbitrary execution of shell commands, arbitrary binary execution, persistence, and update capabilities.

Malware authors behind this campaign have previously experience targeting Linux systems, and now they turn out to attack the Windows users.

Also, the Linux variant has been written better than Windows in terms of persistence mechanism along with the different backdoor commands.

ACbackdoor Infection Process

Both Linux and Windows variant has a variety of similarities, for instances, both variants using the same protocol to communicate with the command & control server and minor implementation differences.

In the binary analysis, researchers found that the Linux binary is a statically linked ELF file, while the Windows binary is a dynamically linked PE file.

Linux variant infection activities found in the Romanian host server, but the infection process and the delivery were unclear.

Windows variant of ACbackdoor initially reported by @nao_sec via twitter, and the using a Fallout Exploit Kit as a delivery medium.

Backdoor Functionality

Unlike other Widows malware, the ACbackdoor Windows version doesn’t pose any complete functionality, but the Linux variant has a sophisticated feature in terms of the infection process.

After the complete infection, the Windows variant collecting architecture, system, and MAC address information by calling the correspondent Windows API functions.

“At the same time, Linux variant uses a different technique that mainly relies on uname system call to retrieve architecture and system information,  in addition to a combination of socket  / ioctl system calls to retrieve the MAC address, Intezer said via a blog post.

ACBackdoor
Similarities in code structure between ACBackdoor Linux and Windows

“The Windows instance will initialize a registry entry so that the malware will be executed on system start-up. The Linux instance will set up various symbolic links and add an initrd script for the malware to also run on system start-up.”

At the final stage, both variants using the same HTTPS protocol to communicate with the c2 server and share the collected information from victims.

These specific details along with the analysis above have led us to conclude that the authors behind ACBackdoor are more comfortable operating in Linux systems, while they may currently be experimenting in Windows by porting their malware to this system. Intezer Wrote.

Also Read: PureLocker Ransomware Attack Enterprise Production Servers and Encrypt Files in Windows, Linux, & macOS

Website

Latest articles

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...

Hackers Actively Exploiting Ray AI Framework Flaw to Hack Thousands of Servers

A critical vulnerability in Ray, an open-source AI framework that is widely utilized across...

Chinese Hackers Attacking Southeast Asian Nations With Malware Packages

Cybersecurity researchers at Unit 42 have uncovered a sophisticated cyberespionage campaign orchestrated by two...

CISA Warns of Hackers Exploiting Microsoft SharePoint Server Vulnerability

Cybersecurity and Infrastructure Security Agency (CISA) has warned about a critical vulnerability in Microsoft...

Microsoft Expands Edge Bounty Program to Include WebView2!

Microsoft announced that Microsoft Edge WebView2 eligibility and specific out-of-scope information are now included...

Beware of Free Android VPN Apps that Turn Your Device into Proxies

Cybersecurity experts have uncovered a cluster of Android VPN applications that covertly transform user...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles