Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

New Cross-Platform Backdoors Target Linux, Windows

Researchers at Kaspersky Lab have discovered a Linux backdoor that has been migrated to Windows and added a series of new capabilities.

Researchers at Kaspersky Lab have discovered a Linux backdoor that has been migrated to Windows and added a series of new capabilities.

The malware was initially spotted on Linux systems, where it had a full set of features that allowed the attackers to monitor all a victim’s activities, including the ability to capture audio and take screenshots. Researchers discovered that the backdoor was written in C++ and Qt, a cross-platform application framework, and that it was compiled toward the end of September 2015.

Called DropboxCache, also known as Backdoor.Linux.Mokes.a, the malware connects to a hardcoded command and control (C&C) server, after which it performs an HTTP request every minute and receives one-byte images in response, Kaspersky Lab’s Stefan Ortloff explains in a blog post. The backdoor connects to TCP port 433 using a custom protocol and AES encryption to receive data and commands from the C&C server, Ortloff said.

According to Kaspersky, the malware authors didn’t put effort into obfuscating the code in any way, making it easier to analyze.

The second backdoor the researchers discovered is called OLMyJuxM.exe (Backdoor.Win32.Mokes.imv), which emerged recently on Windows-based systems. According to Kaspersky, the analysis of this piece of malware quickly revealed that it is a 32-bit Windows variant of Backdoor.Linux.Mokes.a.

The malware uses the SetWindowsHook API for keylogger functionality and for monitoring mouse inputs and internal messages posted to the message queue. The backdoor then contacts the C&C server for commands, and continues to connect to it once per minute by sending a heartbeat signal via HTTP (GET /v1), the same as the Linux variant.

The cybercriminals behind the malware have designed it to receive commands and to upload or download additional resources via TCP Port 433. Researchers also explain that the Windows backdoor uses the same filename templates to save the obtained screenshots, audiocaptures, keylogs and other arbitrary data.

Further analysis of the malicious program revealed that it also includes code to capture images from a connected camera, such as a built-in webcam. Additionally, Kaspersky researchers explain that, unlike the Linux variant, the Windows malware has the keylogger active from the start.

Advertisement. Scroll to continue reading.

However, the same as the Linux backdoor, this malicious program’s binary contains a series of suspicious strings. To ensure that Windows does not find the malware suspicious and that it does not ask users to confirm execution, the authors used a trusted certificate issued by COMODO RSA Code Signing CA, but the researchers did not share the name of the entity which the certificate was issued to.

Kaspersky Lab researchers warn that the malware appears to have been designed to be platform independent, suggesting that it might not be too long before a Mac OS X variant emerges. As always, users are advised to have an anti-virus program enabled on their systems and kept up to date, as well as to avoid opening emails from unknown sources, clicking on suspicious attachments or links, or installing applications from untrusted sources.

Related: Windows Backdoor Ported to Mac OS X, Used in Targeted Attacks

Related: Stealthy Backdoor Compromised Global Organizations Since 2013: FireEye

Related: Cross Platform ‘Java-bot’ Launches DDoS Attacks

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Stephanie Crowe has been appointed head of the Australian Cyber Security Centre (ACSC).

Cloud security giant Wiz has named Fazal Merchant as President and Chief Financial Officer.

Cybersecurity and data protection company Acronis has appointed Gerald Beuchelt as CISO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.