SYMBOLCOMMON_NAMEaka. SYNONYMS
win.acbackdoor (Back to overview)

ACBackdoor


A Linux backdoor that was apparently ported to Windows. This entry represents the Windows version. It appears the Linux version was written first and the Windows version was ported later, without full functionality. The Linux version offers persistence as well as some process manipulation techniques, though both versions apparently offer the ability to access the command line and execute programs as well as self-update.

References
2019-11-18Bleeping ComputerSergiu Gatlan
@online{gatlan:20191118:linux:3b44951, author = {Sergiu Gatlan}, title = {{Linux, Windows Users Targeted With New ACBackdoor Malware}}, date = {2019-11-18}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/linux-windows-users-targeted-with-new-acbackdoor-malware/}, language = {English}, urldate = {2020-01-13} } Linux, Windows Users Targeted With New ACBackdoor Malware
ACBackdoor ACBackdoor
Yara Rules
[TLP:WHITE] win_acbackdoor_auto (20230715 | Detects win.acbackdoor.)
rule win_acbackdoor_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.acbackdoor."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.acbackdoor"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b442448 89742404 89442408 a1???????? 891c24 ff5034 85c0 }
            // n = 7, score = 100
            //   8b442448             | mov                 eax, dword ptr [esp + 0x48]
            //   89742404             | mov                 dword ptr [esp + 4], esi
            //   89442408             | mov                 dword ptr [esp + 8], eax
            //   a1????????           |                     
            //   891c24               | mov                 dword ptr [esp], ebx
            //   ff5034               | call                dword ptr [eax + 0x34]
            //   85c0                 | test                eax, eax

        $sequence_1 = { c744240410000000 890424 e8???????? 85c0 0f844c060000 893424 8944241c }
            // n = 7, score = 100
            //   c744240410000000     | mov                 dword ptr [esp + 4], 0x10
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   0f844c060000         | je                  0x652
            //   893424               | mov                 dword ptr [esp], esi
            //   8944241c             | mov                 dword ptr [esp + 0x1c], eax

        $sequence_2 = { e8???????? 89c6 85c0 0f847f000000 8b842450020000 c744241000000000 c744240c00000000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   89c6                 | mov                 esi, eax
            //   85c0                 | test                eax, eax
            //   0f847f000000         | je                  0x85
            //   8b842450020000       | mov                 eax, dword ptr [esp + 0x250]
            //   c744241000000000     | mov                 dword ptr [esp + 0x10], 0
            //   c744240c00000000     | mov                 dword ptr [esp + 0xc], 0

        $sequence_3 = { 89442404 891c24 e8???????? 85c0 7426 c744240440000000 893424 }
            // n = 7, score = 100
            //   89442404             | mov                 dword ptr [esp + 4], eax
            //   891c24               | mov                 dword ptr [esp], ebx
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7426                 | je                  0x28
            //   c744240440000000     | mov                 dword ptr [esp + 4], 0x40
            //   893424               | mov                 dword ptr [esp], esi

        $sequence_4 = { ff15???????? 3b6c2410 75e3 8b542414 89d8 8b5c241c 85d2 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   3b6c2410             | cmp                 ebp, dword ptr [esp + 0x10]
            //   75e3                 | jne                 0xffffffe5
            //   8b542414             | mov                 edx, dword ptr [esp + 0x14]
            //   89d8                 | mov                 eax, ebx
            //   8b5c241c             | mov                 ebx, dword ptr [esp + 0x1c]
            //   85d2                 | test                edx, edx

        $sequence_5 = { 8bb424a0000000 83e20f 8d34d6 8b542428 8b86c0000000 337e44 83e20f }
            // n = 7, score = 100
            //   8bb424a0000000       | mov                 esi, dword ptr [esp + 0xa0]
            //   83e20f               | and                 edx, 0xf
            //   8d34d6               | lea                 esi, [esi + edx*8]
            //   8b542428             | mov                 edx, dword ptr [esp + 0x28]
            //   8b86c0000000         | mov                 eax, dword ptr [esi + 0xc0]
            //   337e44               | xor                 edi, dword ptr [esi + 0x44]
            //   83e20f               | and                 edx, 0xf

        $sequence_6 = { ff15???????? e9???????? 81ff80400000 751a c7442408???????? 895c2404 893424 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   e9????????           |                     
            //   81ff80400000         | cmp                 edi, 0x4080
            //   751a                 | jne                 0x1c
            //   c7442408????????     |                     
            //   895c2404             | mov                 dword ptr [esp + 4], ebx
            //   893424               | mov                 dword ptr [esp], esi

        $sequence_7 = { c7442458a4e14a00 c78424a400000000000000 e8???????? 8d8424b4000000 890424 e8???????? 8d8424c0000000 }
            // n = 7, score = 100
            //   c7442458a4e14a00     | mov                 dword ptr [esp + 0x58], 0x4ae1a4
            //   c78424a400000000000000     | mov    dword ptr [esp + 0xa4], 0
            //   e8????????           |                     
            //   8d8424b4000000       | lea                 eax, [esp + 0xb4]
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   8d8424c0000000       | lea                 eax, [esp + 0xc0]

        $sequence_8 = { e9???????? ba80bfffff e9???????? baf0ffffff e9???????? 890424 e8???????? }
            // n = 7, score = 100
            //   e9????????           |                     
            //   ba80bfffff           | mov                 edx, 0xffffbf80
            //   e9????????           |                     
            //   baf0ffffff           | mov                 edx, 0xfffffff0
            //   e9????????           |                     
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     

        $sequence_9 = { e9???????? dfabe00a0000 d835???????? 31c0 dd1a e9???????? dfabf80a0000 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   dfabe00a0000         | fild                qword ptr [ebx + 0xae0]
            //   d835????????         |                     
            //   31c0                 | xor                 eax, eax
            //   dd1a                 | fstp                qword ptr [edx]
            //   e9????????           |                     
            //   dfabf80a0000         | fild                qword ptr [ebx + 0xaf8]

    condition:
        7 of them and filesize < 1704960
}
Download all Yara Rules