Intezer Security has found a new backdoor, ACBackdoor, that has no known connection to an operating threat group creating the possibility it could be a harbinger of a new gang’s formation.
ACBackdoor is primarily a Linux malware, but Intezer has spotted a Windows variant and the company believes it was created by an experienced group of threat actors.
One piece of evidence pointing toward the ACBackdoor developers being experienced with Linux is that version has a lower detection rate, is written better than the Windows implant, with a higher quality persistence mechanism, along with the different backdoor commands and additional features not seen in the Windows version such as independent process creation and process renaming.
“The findings we present strongly suggest the group behind this malware has previous experience targeting Linux systems, and is expanding its coverage by porting ACBackdoor to Windows,” Intezer said in a report.
From a functionality standpoint the Linux and Windows versions are almost identical and sharing the same communications protocol and connect to the same C2 server. However, difference arise in distribution with the Linux version coming from a Romanian-based server, no delivery vector has been established, but the Windows type is being spread with the Fallout exploit kit via malvertising campaigns.