NEW MALWARE TARGETING BOTH WINDOWS AND LINUX MACHINE HAS BEEN DISCOVERED

With little to no documentation of its origin, it has capabilities for pretty complex operations which include arbitrary execution of shell commands, updating, arbitrary binary execution, and persistence. Although both of the variants have different backdoor commands and differ in terms of their nature, similarities exist as well such as both using the same protocol to communicate with its Command & Control (C&C) Centre.

Recently, a malware by the name of ACbackdoor has been discovered which infects both Windows and Linux based systems.

Furthermore, the Linux variant comes across as more complex with extra capabilities such as process renaming. This is also evident through a search of the Linux binary on VirusTotal where it is detected by only one anti-malware scanning engine whereas the Windows version yielded a significantly higher detection rate of 37/70.

The Linux version was initially found on a Romanian hosted server whereas the Windows one was delivered via an exploit kit called Fallout as revealed by Nao Sec. The Linux implant has noticeably been written better than the Windows implant, highlighting the implementation of the persistence mechanism along with the different backdoor commands and additional features not seen in the Windows version such as independent process creation and process renaming, the company stated in its blog

ACbackdoor a Malware that Infects both Windows and Linux Systems

Once it infects the system, it uses the operating system’s capabilities to collect certain information such as its architectural details and MAC address. As an example, on Windows, it would use the Windows API function and on Unix, the Uname program which is commonly used to find system information. Next, it adds a registry link on Windows and initrd script on Linux helping it automatically launch itself upon the machine’s startup thereby helping it be more effective.

However, to prevent getting caught once all of this has been done, it doesn’t stop here. It hides by re-naming itself as the commonly found MsMpEng.exe process in Windows which is more commonly known as being of Windows Defender. Hence, the user would think a legitimate program has been running but in reality, it is this trojan horse. On Linux, it poses as the Ubuntu UpdateNotifier utility being renamed to [kworker/u8:7-ev].

In conclusion, we’re for the future to see who turns out to be behind the malware which can be used to deduce the attacker’s ultimate motives. For the time being, this leaves us with an important takeaway to not even trust legitimate processes running since as seen they can be in actuality malicious ones renamed.

In summary, we will see for the future what turned out to be behind the code that can be used to deduce the real motivations of the hacker. It already gives us a significant way of not even trusting legitimate systems, as they may potentially be called malicious.