ACBackdoor, new malware that affects Linux and Windows

Pablinux

Comments

ACBackdoor

Few minutes ago we have published an article in which we said that there is no perfect software. And is that browsers like Chrome, Edge or Safari are "easy" to hack. In the article, we said that software is imperfect, and it is so in programs / apps as well as in operating systems, but there was talk of vulnerabilities found in programs. Now we have to do the same, but on operating systems: a new malware that affects Linux and Windows has been discovered and its name is ACBackdoor.

Just like has reported Bleeping Computer, security researchers have discovered a new cross-platform backdoor that affects Windows and Linux operating systems. This malware could be used to execute malicious code and binaries on compromised computers. From the looks of it, it is developed by a group with experience in developing malicious tools for Linux, all in the words of Ignacio Sanmillan from Intenzer.

ACBackdoor is more dangerous on Linux than on Windows

There are two variants and both share the same command and control server (C2). The routes of infection they use are different: the Windows version is being promoted by malvertising with the help of the Fallout Exploit Kit, while Linux payload is dropped through as yet unknown delivery system.

The latest version of the malware targets vulnerabilities CVE-2018-15982, related with Flash Player, and the CVE-2018-8174, related to the Internet explorer VBScript engine. In both cases, the intention is to infect visitors to web pages controlled by the attacker. We could say that, although we insist that there is no perfect software, in the case of Flash Player it rains over wet.

The strangest thing, or let's say less common, is that the Windows version does not pose a complex threat. ACBackdoor's version of Windows is a "port" of Linux:

The Linux implant has been written noticeably better than the Windows implant, highlighting the implementation of the persistence mechanism along with the different backdoor commands and additional features not seen in the Windows version, such as creating separate processes and renaming processes.

How this backdoor works

After infecting a computer, the malware will start to collect system information, including its architecture and MAC address. To achieve this, it uses platform-specific tools, with Windows API functions on Windows, and the UNIX uname program commonly used to print system information on Linux. Once it is done with the information gathering tasks, ACBackdoor will add an entry to the Windows registry and create several symbolic links, while on Linux it will create a script initrd to achieve persistence and launch automatically on every reboot.

On Windows, the backdoor will also attempt to disguise itself as a MsMpEng.exe process, Microsoft's Windows Defender antimalware and spyware utility. In Linux it will be camouflaged by emulating Ubuntu's new update notification utility (UpdateNotifier) ​​and will rename your process as [kworker / u8: 7-ev], which is related to the Linux kernel.

ACBackdoor sends information via HTTPS

To communicate with the C2 server, both variants of the malware use HTTPS as a communication channel, sending all the collected information as a BASE64 encoded payload. On the other hand, ACBackdoor can receive information, execute and update commands from said C2 server, which allows its owners to execute shell commands, binaries and update the malware already present in an infected system.

Common sense is the best way to avoid this and other malware problems. The first thing is not to visit web pages of dubious origin, something that a modern browser helps that warns us if a website is / could be dangerous. On the other hand, and this applies to any operating system, it is always worth having well updated software that we are using. There is no such thing as perfect software, which includes operating systems, and ACBackdoor is the latest proof of that.


5 comments, leave yours

Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: AB Internet Networks 2008 SL
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.

  1.   anonymous said
    ago 4 years

    Based on flashplayer .... please see a psychiatrist.
    Who is the opa the cube that is still using flashplayer, that has not existed for years.
    I really believe that this press is paid to disfame gnu / linux, I don't have many more options to think about, bad, bad, VERY BAD.

    Reply to anonymous
    1.    HACKERCRAC3850K said
      ago 4 years

      If you have a laptop or PC and you use your browser, whatever it is, I'm sure you'll use Adobe Flash player, because without that you won't get half the ads and the pages don't work well either. If you don't know about it, don't say anything

      Reply to HACKERCRAC3850K
  2.   Daniel said
    ago 4 years

    Ufffff, to be careful then of the dubious sites, in our days practically nobody is totally safe. Very good article compadre, greetings.

    Reply to Daniel
  3.   Leo said
    ago 4 years

    Have cleaning tools been created for Linux against these infections?

    Reply to Leo
    1.    Pepe said
      ago 4 years

      Cleaning tools?
      It will be installing an antimalware, neither more nor less. That's why I don't use linux, anything that sneaks in there stays, just seeing some servers with Trojans inside for years.

      Reply to Pepe