Jump to content

Linux, Windows Users Targeted With New ACBackdoor Malware


securitybreach

Recommended Posts

securitybreach
Quote

 

Backdoor malicious capabilities

After it infects a victim's computer, the malware will start collecting system information including its architecture and MAC address, using platform-specific tools to do it, with Windows API functions on Windows and uname UNIX program commonly used to print system info.

 

Once it's done with the info harvesting tasks, ACBackdoor will add a registry entry on Windows, and create several symbolic links as well as an initrd script on Linux to gain persistence and get automatically launched on system startup.

 

The backdoor will also attempt to camouflage itself as MsMpEng.exe process, the of Microsoft's Windows Defender antimalware and antispyware utility, while on Linux it will disguise as the Ubuntu UpdateNotifier utility and will rename its process to [kworker/u8:7-ev], a Linux kernel thread.

 

 

https://www.bleepingcomputer.com/news/security/linux-windows-users-targeted-with-new-acbackdoor-malware/

  • Like 2
Link to comment
Share on other sites

securitybreach
56 minutes ago, ebrke said:

Wish we knew more about how linux system are infected. Good article though.

 

It sounds like people side load the application, hence the name.

Link to comment
Share on other sites

Quote

on Linux it will disguise as the Ubuntu UpdateNotifier utility

 

Makes it easier to spot if you don't use Ubuntu.

The article doesn't say how prevalent this is in the wild. It's concerning though as most Linux malware to date has been "proof-of-concept" rather than a serious threat.

 

Quote

ACBackdoor can receive the info, run, execute, and update commands from the C2 server, allowing its operators to run shell commands, to execute a binary, and to update the malware on the infected system.

 

But is it able to run as root? That's usually the stumbling block for most Linux malware conceptions.

  • Like 1
Link to comment
Share on other sites

securitybreach
3 minutes ago, sunrat said:

But is it able to run as root? That's usually the stumbling block for most Linux malware conceptions.

 

Well in order to side load an application, you have to input the sudo password so I figured that is how they manage to get the root account. This only works as user are infecting themselves by sideloading applications.

  • Like 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...