securitybreach Posted November 23, 2019 Share Posted November 23, 2019 Quote Backdoor malicious capabilities After it infects a victim's computer, the malware will start collecting system information including its architecture and MAC address, using platform-specific tools to do it, with Windows API functions on Windows and uname UNIX program commonly used to print system info. Once it's done with the info harvesting tasks, ACBackdoor will add a registry entry on Windows, and create several symbolic links as well as an initrd script on Linux to gain persistence and get automatically launched on system startup. The backdoor will also attempt to camouflage itself as MsMpEng.exe process, the of Microsoft's Windows Defender antimalware and antispyware utility, while on Linux it will disguise as the Ubuntu UpdateNotifier utility and will rename its process to [kworker/u8:7-ev], a Linux kernel thread. https://www.bleepingcomputer.com/news/security/linux-windows-users-targeted-with-new-acbackdoor-malware/ 2 Quote Link to comment Share on other sites More sharing options...
securitybreach Posted November 23, 2019 Author Share Posted November 23, 2019 Like always, that is why you only install packages from trusted repos. 2 Quote Link to comment Share on other sites More sharing options...
ebrke Posted November 23, 2019 Share Posted November 23, 2019 Quote . . . while the Linux payload is dropped via a yet unknown delivery system. Wish we knew more about how linux system are infected. Good article though. Quote Link to comment Share on other sites More sharing options...
securitybreach Posted November 23, 2019 Author Share Posted November 23, 2019 56 minutes ago, ebrke said: Wish we knew more about how linux system are infected. Good article though. It sounds like people side load the application, hence the name. Quote Link to comment Share on other sites More sharing options...
sunrat Posted November 24, 2019 Share Posted November 24, 2019 Quote on Linux it will disguise as the Ubuntu UpdateNotifier utility Makes it easier to spot if you don't use Ubuntu. The article doesn't say how prevalent this is in the wild. It's concerning though as most Linux malware to date has been "proof-of-concept" rather than a serious threat. Quote ACBackdoor can receive the info, run, execute, and update commands from the C2 server, allowing its operators to run shell commands, to execute a binary, and to update the malware on the infected system. But is it able to run as root? That's usually the stumbling block for most Linux malware conceptions. 1 Quote Link to comment Share on other sites More sharing options...
securitybreach Posted November 24, 2019 Author Share Posted November 24, 2019 3 minutes ago, sunrat said: But is it able to run as root? That's usually the stumbling block for most Linux malware conceptions. Well in order to side load an application, you have to input the sudo password so I figured that is how they manage to get the root account. This only works as user are infecting themselves by sideloading applications. 1 Quote Link to comment Share on other sites More sharing options...
securitybreach Posted November 24, 2019 Author Share Posted November 24, 2019 There is not much you can do if the user gives up their password willingly. 2 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.