Recently, a malware by the name of ACbackdoor has been discovered which infects both Windows and Linux based systems.
With little to no documentation of its origin, it has capabilities for pretty complex operations which include arbitrary execution of shell commands, updating, arbitrary binary execution, and persistence. Although both of the variants have different backdoor commands and differ in terms of their nature, similarities exist as well such as both using the same protocol to communicate with its Command & Control (C&C) Centre.
Furthermore, the Linux variant comes across as more complex with extra capabilities such as process renaming. This is also evident through a search of the Linux binary on VirusTotal where it is detected by only one anti-malware scanning engine whereas the Windows version yielded a significantly higher detection rate of 37/70.
The Linux version was initially found on a Romanian hosted server whereas the Windows one was delivered via an exploit kit called Fallout as revealed by Nao Sec.
“The Linux implant has noticeably been written better than the Windows implant, highlighting the implementation of the persistence mechanism along with the different backdoor commands and additional features not seen in the Windows version such as independent process creation and process renaming,” the company stated in its blog post.
— nao_sec (@nao_sec) November 11, 2019
Once it infects the system, it uses the operating system’s capabilities to collect certain information such as its architectural details and MAC address. As an example, on Windows, it would use the Windows API function and on Unix, the Uname program which is commonly used to find system information. Next, it adds a registry link on Windows and initrd script on Linux helping it automatically launch itself upon the machine’s startup thereby helping it be more effective.
However, to prevent getting caught once all of this has been done, it doesn’t stop here. It hides by re-naming itself as the commonly found MsMpEng.exe process in Windows which is more commonly known as being of Windows Defender. Hence, the user would think a legitimate program has been running but in reality, it is this trojan horse. On Linux, it poses as the Ubuntu UpdateNotifier utility being renamed to [kworker/u8:7-ev].
In conclusion, we’re for the future to see who turns out to be behind the malware which can be used to deduce the attacker’s ultimate motives. For the time being, this leaves us with an important takeaway to not even trust legitimate processes running since as seen they can be in actuality malicious ones renamed.