Jump to content
securitybreach

Linux, Windows Users Targeted With New ACBackdoor Malware

Recommended Posts

Quote

 

Backdoor malicious capabilities

After it infects a victim's computer, the malware will start collecting system information including its architecture and MAC address, using platform-specific tools to do it, with Windows API functions on Windows and uname UNIX program commonly used to print system info.

 

Once it's done with the info harvesting tasks, ACBackdoor will add a registry entry on Windows, and create several symbolic links as well as an initrd script on Linux to gain persistence and get automatically launched on system startup.

 

The backdoor will also attempt to camouflage itself as MsMpEng.exe process, the of Microsoft's Windows Defender antimalware and antispyware utility, while on Linux it will disguise as the Ubuntu UpdateNotifier utility and will rename its process to [kworker/u8:7-ev], a Linux kernel thread.

 

 

https://www.bleepingcomputer.com/news/security/linux-windows-users-targeted-with-new-acbackdoor-malware/

  • Like 2

Share this post


Link to post
Share on other sites
Quote

. . . while the Linux payload is dropped via a yet unknown delivery system.

Wish we knew more about how linux system are infected. Good article though.

Share this post


Link to post
Share on other sites
56 minutes ago, ebrke said:

Wish we knew more about how linux system are infected. Good article though.

 

It sounds like people side load the application, hence the name.

Share this post


Link to post
Share on other sites
Quote

on Linux it will disguise as the Ubuntu UpdateNotifier utility

 

Makes it easier to spot if you don't use Ubuntu.

The article doesn't say how prevalent this is in the wild. It's concerning though as most Linux malware to date has been "proof-of-concept" rather than a serious threat.

 

Quote

ACBackdoor can receive the info, run, execute, and update commands from the C2 server, allowing its operators to run shell commands, to execute a binary, and to update the malware on the infected system.

 

But is it able to run as root? That's usually the stumbling block for most Linux malware conceptions.

  • Like 1

Share this post


Link to post
Share on other sites
3 minutes ago, sunrat said:

But is it able to run as root? That's usually the stumbling block for most Linux malware conceptions.

 

Well in order to side load an application, you have to input the sudo password so I figured that is how they manage to get the root account. This only works as user are infecting themselves by sideloading applications.

  • Like 1

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...