Few minutes ago we have published an article in which we said that there is no perfect software. And is that browsers like Chrome, Edge or Safari are "easy" to hack. In the article, we said that software is imperfect, and it is so in programs / apps as well as in operating systems, but there was talk of vulnerabilities found in programs. Now we have to do the same, but on operating systems: a new malware that affects Linux and Windows has been discovered and its name is ACBackdoor.
Just like has reported Bleeping Computer, security researchers have discovered a new cross-platform backdoor that affects Windows and Linux operating systems. This malware could be used to execute malicious code and binaries on compromised computers. From the looks of it, it is developed by a group with experience in developing malicious tools for Linux, all in the words of Ignacio Sanmillan from Intenzer.
Table of Contents
ACBackdoor is more dangerous on Linux than on Windows
There are two variants and both share the same command and control server (C2). The routes of infection they use are different: the Windows version is being promoted by malvertising with the help of the Fallout Exploit Kit, while Linux payload is dropped through as yet unknown delivery system.
The latest version of the malware targets vulnerabilities CVE-2018-15982, related with Flash Player, And the CVE-2018-8174, related to the Internet explorer VBScript engine. In both cases, the intention is to infect visitors to web pages controlled by the attacker. We could say that, although we insist that there is no perfect software, in the case of Flash Player it rains over wet.
The strangest thing, or let's say less common, is that the Windows version does not pose a complex threat. ACBackdoor's version of Windows is a "port" of Linux:
The Linux implant has been written noticeably better than the Windows implant, highlighting the implementation of the persistence mechanism along with the different backdoor commands and additional features not seen in the Windows version, such as creating separate processes and renaming processes.
How this backdoor works
After infecting a computer, the malware will start to collect system information, including its architecture and MAC address. To achieve this, it uses platform-specific tools, with Windows API functions on Windows, and the UNIX uname program commonly used to print system information on Linux. Once it is done with the information gathering tasks, ACBackdoor will add an entry to the Windows registry and create several symbolic links, while on Linux it will create a script initrd to achieve persistence and launch automatically on every reboot.
On Windows, the backdoor will also attempt to disguise itself as a MsMpEng.exe process, Microsoft's Windows Defender antimalware and spyware utility. In Linux it will be camouflaged by emulating Ubuntu's new update notification utility (UpdateNotifier) and will rename your process as [kworker / u8: 7-ev], which is related to the Linux kernel.
ACBackdoor sends information via HTTPS
To communicate with the C2 server, both variants of the malware use HTTPS as a communication channel, sending all the collected information as a BASE64 encoded payload. On the other hand, ACBackdoor can receive information, execute and update commands from said C2 server, which allows its owners to execute shell commands, binaries and update the malware already present in an infected system.
Common sense is the best way to avoid this and other malware problems. The first thing is not to visit web pages of dubious origin, something that a modern browser helps that warns us if a website is / could be dangerous. On the other hand, and this applies to any operating system, it is always worth having well updated software that we are using. There is no such thing as perfect software, which includes operating systems, and ACBackdoor is the latest proof of that.