Home Malware Programs Backdoors BlackRota Backdoor

BlackRota Backdoor

Posted: November 26, 2020

Modern malware developers put a lot of time and effort into making their threatening programs difficult to decompile, analyze and detect. These are the exact properties found in the newly discovered BlackRota Backdoor, which was written in the Go programming language. According to malware researchers, the BlackRota project features heavy obfuscation, which makes it difficult to reverse-engineer the malware and get a good understanding of its modus operandi. What is known for now is that the BlackRota Backdoor works by exploiting vulnerabilities in the Docker Remote API. The Docker service has become a common target for malware developers recently – the Doki Trojan and Kinsing malware families also targeted misconfigured Docker servers.

The BlackRota Backdoor targets Linux devices exclusively, and it is compatible with 32-bit and 64-bit operating systems. The malware's payload is spread as an Executable and Linkable Format (ELF) file. BlackRota Backdoor's features include:

  • Execute shell commands.
  • Upload and execute files.
  • Download files from the compromised host onto the control server.
  • Browse files.
  • Delay execution.
  • Change the malware's working directory.

While the features of BlackRota Backdoor are not spectacular, malware experts were shocked by the amount of obfuscation used to protect the malware from being debugged. Similar obfuscation methods typical for the Go language also were found in the Ekans Ransomware project. This is not the final time that we will hear about the BlackRota Backdoor, judging by the amount of efforts its developers put into making their project difficult to analyze. Users of Docker servers and services can stay safe from the BlackRota Backdoor by implementing proper security measures and using strong login credentials.

Loading...