Home Malware Programs Backdoors ACBackdoor


Posted: November 19, 2019

Malware developers target multiple operating systems with their malware rarely. One of the main reasons for this is that Linux systems are not spread that widely, and targeting them with malware is not always a profitable task. However, the authors of the new ACBackdoor appear to be experts when it comes to developing Linux-compatible malware – cybersecurity researchers note that the Linux version of ACBackdoor was written very well, and packs remarkable features such as fileless code execution and the ability to manipulate the properties of running processes. Besides being able to run on Linux, the ACBackdoor also is compatible with the Windows operating system, but it is important to mention that the Windows version appears to be implemented poorly compared to its Linux counterpart. This leads malware researchers to suspect that the threat actor behind the ACBackdoor specializes in Linux malware, but they may be trying to diversify their portfolio by porting some of their malware to Windows.

The Fallout EK Spreads the ACBackdoor

The ACBackdoor was first spotted when the Fallout Exploit Kit (Fallout EK) was seen distributing an unknown piece of malware – the sue of the Fallout Exploit Kit is evidence that the criminals behind the ACBackdoor project are not new to the scene, and they have the necessary funding to afford the use of a high-profile exploit kit.

After the ACBackdoor is executed, it will collect basic system information and then transfer it to the attacker's control server via HTTPS. The malware attempts to gain persistence on Windows computers by creating a new Windows Registry key, and masquerading as a 'Microsoft Anti-Spyware Utility.' In the meantime, the Linux version tries to stay stealthy by calling itself an 'Ubuntu Release Update Utility.'

The ACBackdoor is very simple in terms of functionality, but it does support all primary features found in most backdoor Trojans:

  • It can collect and transmit details about the compromised system via the 'info' command.
  • It can run remote shell commands via the 'run' command.
  • It can transfer and run files from the control server via the 'execute' command.
  • It can update itself via the 'update' command.

It is still not clear if the ACBackdoor malware targets a specific group of users, or if its authors are opting for quantity over quality. As usual, the best way to protect your Windows system from this threat is to invest in the services of a trustworthy and up-to-date anti-malware tool.