Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

New Cross-Platform Backdoors Target Linux, Windows

Researchers at Kaspersky Lab have discovered a Linux backdoor that has been migrated to Windows and added a series of new capabilities.

Researchers at Kaspersky Lab have discovered a Linux backdoor that has been migrated to Windows and added a series of new capabilities.

The malware was initially spotted on Linux systems, where it had a full set of features that allowed the attackers to monitor all a victim’s activities, including the ability to capture audio and take screenshots. Researchers discovered that the backdoor was written in C++ and Qt, a cross-platform application framework, and that it was compiled toward the end of September 2015.

Called DropboxCache, also known as Backdoor.Linux.Mokes.a, the malware connects to a hardcoded command and control (C&C) server, after which it performs an HTTP request every minute and receives one-byte images in response, Kaspersky Lab’s Stefan Ortloff explains in a blog post. The backdoor connects to TCP port 433 using a custom protocol and AES encryption to receive data and commands from the C&C server, Ortloff said.

According to Kaspersky, the malware authors didn’t put effort into obfuscating the code in any way, making it easier to analyze.

The second backdoor the researchers discovered is called OLMyJuxM.exe (Backdoor.Win32.Mokes.imv), which emerged recently on Windows-based systems. According to Kaspersky, the analysis of this piece of malware quickly revealed that it is a 32-bit Windows variant of Backdoor.Linux.Mokes.a.

The malware uses the SetWindowsHook API for keylogger functionality and for monitoring mouse inputs and internal messages posted to the message queue. The backdoor then contacts the C&C server for commands, and continues to connect to it once per minute by sending a heartbeat signal via HTTP (GET /v1), the same as the Linux variant.

The cybercriminals behind the malware have designed it to receive commands and to upload or download additional resources via TCP Port 433. Researchers also explain that the Windows backdoor uses the same filename templates to save the obtained screenshots, audiocaptures, keylogs and other arbitrary data.

Further analysis of the malicious program revealed that it also includes code to capture images from a connected camera, such as a built-in webcam. Additionally, Kaspersky researchers explain that, unlike the Linux variant, the Windows malware has the keylogger active from the start.

Advertisement. Scroll to continue reading.

However, the same as the Linux backdoor, this malicious program’s binary contains a series of suspicious strings. To ensure that Windows does not find the malware suspicious and that it does not ask users to confirm execution, the authors used a trusted certificate issued by COMODO RSA Code Signing CA, but the researchers did not share the name of the entity which the certificate was issued to.

Kaspersky Lab researchers warn that the malware appears to have been designed to be platform independent, suggesting that it might not be too long before a Mac OS X variant emerges. As always, users are advised to have an anti-virus program enabled on their systems and kept up to date, as well as to avoid opening emails from unknown sources, clicking on suspicious attachments or links, or installing applications from untrusted sources.

Related: Windows Backdoor Ported to Mac OS X, Used in Targeted Attacks

Related: Stealthy Backdoor Compromised Global Organizations Since 2013: FireEye

Related: Cross Platform ‘Java-bot’ Launches DDoS Attacks

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.