A backdoor version of malware, ACBackdoor, is hitting Linux and Windows platforms. Once the malware has compromised the machines, the attackers run additional malicious code and binaries. One security researcher at Intezer has studied ACBackdoor and says about it:
“ACBackdoor provides arbitrary execution of shell commands, arbitrary binary execution, persistence, and update capabilities.”
The malware is unknown and undocumented in the Infosec community and the threat group behind ACBackdoor appears to be new and without prior connections to other groups. With the way the malware executes, it’s clear the threat group has experience in developing malware aimed at the Linux platform.
Variants of ACBackdoor
Though they share the same command and control (C2) server, variants of ACBackdoor have emerged that target Windows and Linux separately. The infection vectors used to infect Windows and Linux victims are different from each other. With Windows, the version works through the Fallout Exploit Kit while with Linux, the payload is delivered by an unknown system.
Another security researcher, Intezer’s Ignacio Sanmillan, analyzed the exploit in September. He identified the Common Vulnerabilities and Exposures VCE-2018-15982 (Flash Player) and VCE-2018-8174 (Microsoft Internet Explorer VBScript Engine). Users that visit sites controlled by the malware are infected.
Although both ACBackdoor malware versions have similar control flow and logic, the malware variant targeting Linux systems has a more persistent mechanism, is written better and has different backdoor commands and features than the Windows variant has. It’s also detected (discovered) more often on Windows than Linux. On Windows, it’s detected by 37 of 70 engines while on the more complex Linux servers, it’s detected by only one anti-malware scanning engines. The Linux binaries also have greater malicious capabilities.
The Intezer report further says, “The Linux implant has noticeably been written better than the Windows implant, highlighting the implementation of the persistence mechanism along with the different backdoor commands and additional features not seen in the Windows version such as independent process creation and process renaming.”
ACBackdoor in Action
Once the victim’s computer is infected, ACBackdoor uses platform tools including Windows API functions to collect system information such as its MAC address and architecture.
ACBackdoor then creates symbolic links and initrd scripts on Linux and adds a registry entry on Windows. These and additional steps get the malware to be a program that’s automatically launched in system startup. The malware disguises itself as legitimate processes in both systems, such as Ubuntu UpdateNotifier utility on Linux, which the malware will rename, and MsMpEng.exe, a core process of Microsoft Windows Defender antimalware and antispyware utility.
Both variants use the HTTPS communication channel and collected information is sent in an encoded BASE64 payload.
In summary, ACBackdoor gives the bad actors the ability to take over the victim’s system, executing and updating their own commands from the C2 server, running shell commands, executing binaries and injecting their own malware on the system.
Virsec’s Unique Approach to Protecting Applications at Runtime
Virsec provides guard-rail protection for your applications, countering a broad spectrum of cyber attacks.
Only Virsec Security Platform Delivers:
- Protection of application workflows, processes, file systems, libraries, memory and more at runtime
- Precise attack remediation and automation early in the attack cycle without need for expert analysis or machine learning
- Deterministic threat detection based on request deviations initiated by malicious code, remote hackers, files and trusted processes no matter how attacks originate.
Data breaches and ransomware attacks are the among the biggest threats against organizations today. Our demo shows a multi-step ransomware attack in action using advanced hacking tools. See how Virsec security platform can instantly spot this attack at every stage and stop it. If you are interested in partnering with Virsec, we invite you to consider doing so – before you may face the unfortunate situation of a ransom demand or if you are in the process of recovering.