SYMBOLCOMMON_NAMEaka. SYNONYMS
win.acbackdoor (Back to overview)

ACBackdoor


A Linux backdoor that was apparently ported to Windows. This entry represents the Windows version. It appears the Linux version was written first and the Windows version was ported later, without full functionality. The Linux version offers persistence as well as some process manipulation techniques, though both versions apparently offer the ability to access the command line and execute programs as well as self-update.

References
2019-11-18Bleeping ComputerSergiu Gatlan
@online{gatlan:20191118:linux:3b44951, author = {Sergiu Gatlan}, title = {{Linux, Windows Users Targeted With New ACBackdoor Malware}}, date = {2019-11-18}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/linux-windows-users-targeted-with-new-acbackdoor-malware/}, language = {English}, urldate = {2020-01-13} } Linux, Windows Users Targeted With New ACBackdoor Malware
ACBackdoor ACBackdoor
Yara Rules
[TLP:WHITE] win_acbackdoor_auto (20230125 | Detects win.acbackdoor.)
rule win_acbackdoor_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.acbackdoor."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.acbackdoor"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff15???????? 8b442438 8918 8b842470100000 c60001 807c243700 7427 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   8b442438             | mov                 eax, dword ptr [esp + 0x38]
            //   8918                 | mov                 dword ptr [eax], ebx
            //   8b842470100000       | mov                 eax, dword ptr [esp + 0x1070]
            //   c60001               | mov                 byte ptr [eax], 1
            //   807c243700           | cmp                 byte ptr [esp + 0x37], 0
            //   7427                 | je                  0x29

        $sequence_1 = { e8???????? 8d4660 890424 e8???????? 891c24 e8???????? 8d4614 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8d4660               | lea                 eax, [esi + 0x60]
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   891c24               | mov                 dword ptr [esp], ebx
            //   e8????????           |                     
            //   8d4614               | lea                 eax, [esi + 0x14]

        $sequence_2 = { 8b10 3915???????? 0f849f010000 8b08 390d???????? 0f84a6000000 8b10 }
            // n = 7, score = 100
            //   8b10                 | mov                 edx, dword ptr [eax]
            //   3915????????         |                     
            //   0f849f010000         | je                  0x1a5
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   390d????????         |                     
            //   0f84a6000000         | je                  0xac
            //   8b10                 | mov                 edx, dword ptr [eax]

        $sequence_3 = { e9???????? 81ff80520000 751a c7442408???????? 895c2404 893424 ff15???????? }
            // n = 7, score = 100
            //   e9????????           |                     
            //   81ff80520000         | cmp                 edi, 0x5280
            //   751a                 | jne                 0x1c
            //   c7442408????????     |                     
            //   895c2404             | mov                 dword ptr [esp + 4], ebx
            //   893424               | mov                 dword ptr [esp], esi
            //   ff15????????         |                     

        $sequence_4 = { c744240c9f100000 c7442408???????? c744240401000000 892c24 89442438 e8???????? 8b5500 }
            // n = 7, score = 100
            //   c744240c9f100000     | mov                 dword ptr [esp + 0xc], 0x109f
            //   c7442408????????     |                     
            //   c744240401000000     | mov                 dword ptr [esp + 4], 1
            //   892c24               | mov                 dword ptr [esp], ebp
            //   89442438             | mov                 dword ptr [esp + 0x38], eax
            //   e8????????           |                     
            //   8b5500               | mov                 edx, dword ptr [ebp]

        $sequence_5 = { c744240400000000 8b742428 891c24 e8???????? 85c0 0f85ea000000 c744240400000000 }
            // n = 7, score = 100
            //   c744240400000000     | mov                 dword ptr [esp + 4], 0
            //   8b742428             | mov                 esi, dword ptr [esp + 0x28]
            //   891c24               | mov                 dword ptr [esp], ebx
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   0f85ea000000         | jne                 0xf0
            //   c744240400000000     | mov                 dword ptr [esp + 4], 0

        $sequence_6 = { c744241004000000 8944240c c744240801100000 c7442404ffff0000 891c24 ff15???????? 83ec14 }
            // n = 7, score = 100
            //   c744241004000000     | mov                 dword ptr [esp + 0x10], 4
            //   8944240c             | mov                 dword ptr [esp + 0xc], eax
            //   c744240801100000     | mov                 dword ptr [esp + 8], 0x1001
            //   c7442404ffff0000     | mov                 dword ptr [esp + 4], 0xffff
            //   891c24               | mov                 dword ptr [esp], ebx
            //   ff15????????         |                     
            //   83ec14               | sub                 esp, 0x14

        $sequence_7 = { 895c2404 893424 ff15???????? e9???????? 83ff34 751a c7442408???????? }
            // n = 7, score = 100
            //   895c2404             | mov                 dword ptr [esp + 4], ebx
            //   893424               | mov                 dword ptr [esp], esi
            //   ff15????????         |                     
            //   e9????????           |                     
            //   83ff34               | cmp                 edi, 0x34
            //   751a                 | jne                 0x1c
            //   c7442408????????     |                     

        $sequence_8 = { e9???????? 89c5 c744241052a54a00 c744240c34010000 e9???????? 8b6c243c c744241050a84a00 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   89c5                 | mov                 ebp, eax
            //   c744241052a54a00     | mov                 dword ptr [esp + 0x10], 0x4aa552
            //   c744240c34010000     | mov                 dword ptr [esp + 0xc], 0x134
            //   e9????????           |                     
            //   8b6c243c             | mov                 ebp, dword ptr [esp + 0x3c]
            //   c744241050a84a00     | mov                 dword ptr [esp + 0x10], 0x4aa850

        $sequence_9 = { f7e9 89c8 c1f81f 29c2 8d0452 89ca 01c0 }
            // n = 7, score = 100
            //   f7e9                 | imul                ecx
            //   89c8                 | mov                 eax, ecx
            //   c1f81f               | sar                 eax, 0x1f
            //   29c2                 | sub                 edx, eax
            //   8d0452               | lea                 eax, [edx + edx*2]
            //   89ca                 | mov                 edx, ecx
            //   01c0                 | add                 eax, eax

    condition:
        7 of them and filesize < 1704960
}
Download all Yara Rules