Researchers have discovered a previously undetected multi-platform malware that targets Windows and Linux platforms to steal sensitive information from compromised machines. The malware, dubbed ACbackdoor, comes in Windows and Linux variants, with the latter being more sophisticated, which suggests that the backdoor was created by a threat group with more experience in developing malicious tools for the Linux platform, according to a latest report from Intezer.
"ACBackdoor provides arbitrary execution of shell commands, arbitrary binary execution, persistence, and update capabilities," the firm found.
The Linux variant has a very low detection rate (the Linux malicious binary is detected by only one of the anti-malware scanning engines on VirusTotal), while the Windows variant is detected by 37 out of 70 antivirus solutions.
The Linux binary is a statically linked ELF file, while the Windows binary is a dynamically linked PE file. While both versions share practically the same functionality (with some minor differences in terms of implementation) and communicate with the same command and control server, they use different delivery methods to infect target systems: the Windows variant is being spread via the Fallout Exploit Kit, while the infection vector the Linux version uses is yet unknown.
The Linux version is more complex than the Windows one although both variants share a similar control flow and logic.
"The Linux implant has noticeably been written better than the Windows implant, highlighting the implementation of the persistence mechanism along with the different backdoor commands and additional features not seen in the Windows version such as independent process creation and process renaming," the researchers said.
Once the Windows variant infects a victim’s machine, it collects architecture, system, and MAC address information by calling the correspondent Windows API functions. The Linux variant uses “a different technique that mainly relies on uname system call to retrieve architecture and system information, in addition to a combination of socket / ioctl system calls to retrieve the MAC address”.
Once the info has been gathered, ACbackdoor will add a registry entry on Windows (the Windows variant) or create several symbolic links as well as an initrd script on Linux (the Linux version) to gain persistence and get automatically launched on system startup.
As not to raise the suspicions, the malware attempts to masquerade itself as a Microsoft Anti Spyware utility (MsMpEng.exe) or as the Ubuntu release update utility (update-notifier).
To communicate with its command and control server, both malware versions use Hypertext Transfer Protocol Secure (HTTPS) as a communication channel, with all the harvested information being sent as a BASE64 encoded payload.
“We can assess with high confidence that this threat group has experience developing Linux-based malware. Because there is no attributable information documented on this backdoor, there is a possibility that some known Linux-based threat group is updating its toolset,” the researchers wrote.