securitybreach 10,304 Posted November 23 Quote Backdoor malicious capabilities After it infects a victim's computer, the malware will start collecting system information including its architecture and MAC address, using platform-specific tools to do it, with Windows API functions on Windows and uname UNIX program commonly used to print system info. Once it's done with the info harvesting tasks, ACBackdoor will add a registry entry on Windows, and create several symbolic links as well as an initrd script on Linux to gain persistence and get automatically launched on system startup. The backdoor will also attempt to camouflage itself as MsMpEng.exe process, the of Microsoft's Windows Defender antimalware and antispyware utility, while on Linux it will disguise as the Ubuntu UpdateNotifier utility and will rename its process to [kworker/u8:7-ev], a Linux kernel thread. https://www.bleepingcomputer.com/news/security/linux-windows-users-targeted-with-new-acbackdoor-malware/ 2 Share this post Link to post Share on other sites
securitybreach 10,304 Posted November 23 Like always, that is why you only install packages from trusted repos. 2 Share this post Link to post Share on other sites
ebrke 1,234 Posted November 23 Quote . . . while the Linux payload is dropped via a yet unknown delivery system. Wish we knew more about how linux system are infected. Good article though. Share this post Link to post Share on other sites
securitybreach 10,304 Posted November 23 56 minutes ago, ebrke said: Wish we knew more about how linux system are infected. Good article though. It sounds like people side load the application, hence the name. Share this post Link to post Share on other sites
sunrat 2,051 Posted November 24 Quote on Linux it will disguise as the Ubuntu UpdateNotifier utility Makes it easier to spot if you don't use Ubuntu. The article doesn't say how prevalent this is in the wild. It's concerning though as most Linux malware to date has been "proof-of-concept" rather than a serious threat. Quote ACBackdoor can receive the info, run, execute, and update commands from the C2 server, allowing its operators to run shell commands, to execute a binary, and to update the malware on the infected system. But is it able to run as root? That's usually the stumbling block for most Linux malware conceptions. 1 Share this post Link to post Share on other sites
securitybreach 10,304 Posted November 24 3 minutes ago, sunrat said: But is it able to run as root? That's usually the stumbling block for most Linux malware conceptions. Well in order to side load an application, you have to input the sudo password so I figured that is how they manage to get the root account. This only works as user are infecting themselves by sideloading applications. 1 Share this post Link to post Share on other sites
securitybreach 10,304 Posted November 24 There is not much you can do if the user gives up their password willingly. 2 Share this post Link to post Share on other sites
