Jump to content

Linux, Windows Users Targeted With New ACBackdoor Malware


Recommended Posts

securitybreach
Posted
Quote

 

Backdoor malicious capabilities

After it infects a victim's computer, the malware will start collecting system information including its architecture and MAC address, using platform-specific tools to do it, with Windows API functions on Windows and uname UNIX program commonly used to print system info.

 

Once it's done with the info harvesting tasks, ACBackdoor will add a registry entry on Windows, and create several symbolic links as well as an initrd script on Linux to gain persistence and get automatically launched on system startup.

 

The backdoor will also attempt to camouflage itself as MsMpEng.exe process, the of Microsoft's Windows Defender antimalware and antispyware utility, while on Linux it will disguise as the Ubuntu UpdateNotifier utility and will rename its process to [kworker/u8:7-ev], a Linux kernel thread.

 

 

https://www.bleepingcomputer.com/news/security/linux-windows-users-targeted-with-new-acbackdoor-malware/

  • Like 2
securitybreach
Posted

Like always, that is why you only install packages from trusted repos.

  • Like 2
Posted
Quote

. . . while the Linux payload is dropped via a yet unknown delivery system.

Wish we knew more about how linux system are infected. Good article though.

securitybreach
Posted
56 minutes ago, ebrke said:

Wish we knew more about how linux system are infected. Good article though.

 

It sounds like people side load the application, hence the name.

Posted
Quote

on Linux it will disguise as the Ubuntu UpdateNotifier utility

 

Makes it easier to spot if you don't use Ubuntu.

The article doesn't say how prevalent this is in the wild. It's concerning though as most Linux malware to date has been "proof-of-concept" rather than a serious threat.

 

Quote

ACBackdoor can receive the info, run, execute, and update commands from the C2 server, allowing its operators to run shell commands, to execute a binary, and to update the malware on the infected system.

 

But is it able to run as root? That's usually the stumbling block for most Linux malware conceptions.

  • Like 1
securitybreach
Posted
3 minutes ago, sunrat said:

But is it able to run as root? That's usually the stumbling block for most Linux malware conceptions.

 

Well in order to side load an application, you have to input the sudo password so I figured that is how they manage to get the root account. This only works as user are infecting themselves by sideloading applications.

  • Like 1
securitybreach
Posted

There is not much you can do if the user gives up their password willingly.

  • Like 2

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...