SYMBOLCOMMON_NAMEaka. SYNONYMS
win.acbackdoor (Back to overview)

ACBackdoor


A Linux backdoor that was apparently ported to Windows. This entry represents the Windows version. It appears the Linux version was written first and the Windows version was ported later, without full functionality. The Linux version offers persistence as well as some process manipulation techniques, though both versions apparently offer the ability to access the command line and execute programs as well as self-update.

References
2019-11-18Bleeping ComputerSergiu Gatlan
@online{gatlan:20191118:linux:3b44951, author = {Sergiu Gatlan}, title = {{Linux, Windows Users Targeted With New ACBackdoor Malware}}, date = {2019-11-18}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/linux-windows-users-targeted-with-new-acbackdoor-malware/}, language = {English}, urldate = {2020-01-13} } Linux, Windows Users Targeted With New ACBackdoor Malware
ACBackdoor ACBackdoor
Yara Rules
[TLP:WHITE] win_acbackdoor_auto (20220808 | Detects win.acbackdoor.)
rule win_acbackdoor_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.acbackdoor."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.acbackdoor"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c7442410d8804a00 c744240cd80f0000 c7442408???????? c744240403000000 892c24 e8???????? 8b4578 }
            // n = 7, score = 100
            //   c7442410d8804a00     | mov                 dword ptr [esp + 0x10], 0x4a80d8
            //   c744240cd80f0000     | mov                 dword ptr [esp + 0xc], 0xfd8
            //   c7442408????????     |                     
            //   c744240403000000     | mov                 dword ptr [esp + 4], 3
            //   892c24               | mov                 dword ptr [esp], ebp
            //   e8????????           |                     
            //   8b4578               | mov                 eax, dword ptr [ebp + 0x78]

        $sequence_1 = { c744240401000000 891c24 e8???????? 85c0 0f85f8030000 8b737c 8b4378 }
            // n = 7, score = 100
            //   c744240401000000     | mov                 dword ptr [esp + 4], 1
            //   891c24               | mov                 dword ptr [esp], ebx
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   0f85f8030000         | jne                 0x3fe
            //   8b737c               | mov                 esi, dword ptr [ebx + 0x7c]
            //   8b4378               | mov                 eax, dword ptr [ebx + 0x78]

        $sequence_2 = { 89542450 0f44c8 85d2 89c2 0f45442450 89442450 8b83d0020000 }
            // n = 7, score = 100
            //   89542450             | mov                 dword ptr [esp + 0x50], edx
            //   0f44c8               | cmove               ecx, eax
            //   85d2                 | test                edx, edx
            //   89c2                 | mov                 edx, eax
            //   0f45442450           | cmovne              eax, dword ptr [esp + 0x50]
            //   89442450             | mov                 dword ptr [esp + 0x50], eax
            //   8b83d0020000         | mov                 eax, dword ptr [ebx + 0x2d0]

        $sequence_3 = { e8???????? 85c0 0f848d000000 89c6 83c414 89f0 5b }
            // n = 7, score = 100
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   0f848d000000         | je                  0x93
            //   89c6                 | mov                 esi, eax
            //   83c414               | add                 esp, 0x14
            //   89f0                 | mov                 eax, esi
            //   5b                   | pop                 ebx

        $sequence_4 = { 893c24 e8???????? b81c000000 81c4ec000000 5b 5e 5f }
            // n = 7, score = 100
            //   893c24               | mov                 dword ptr [esp], edi
            //   e8????????           |                     
            //   b81c000000           | mov                 eax, 0x1c
            //   81c4ec000000         | add                 esp, 0xec
            //   5b                   | pop                 ebx
            //   5e                   | pop                 esi
            //   5f                   | pop                 edi

        $sequence_5 = { e9???????? e8???????? e9???????? 8b442470 895c2414 897c240c 89442410 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   e8????????           |                     
            //   e9????????           |                     
            //   8b442470             | mov                 eax, dword ptr [esp + 0x70]
            //   895c2414             | mov                 dword ptr [esp + 0x14], ebx
            //   897c240c             | mov                 dword ptr [esp + 0xc], edi
            //   89442410             | mov                 dword ptr [esp + 0x10], eax

        $sequence_6 = { 895c2404 893424 ff15???????? e9???????? 81ff80230000 751a c7442408???????? }
            // n = 7, score = 100
            //   895c2404             | mov                 dword ptr [esp + 4], ebx
            //   893424               | mov                 dword ptr [esp], esi
            //   ff15????????         |                     
            //   e9????????           |                     
            //   81ff80230000         | cmp                 edi, 0x2380
            //   751a                 | jne                 0x1c
            //   c7442408????????     |                     

        $sequence_7 = { e8???????? 85c0 0f84fe0d0000 8b03 8b8894000000 85c9 0f84c72e0000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   0f84fe0d0000         | je                  0xe04
            //   8b03                 | mov                 eax, dword ptr [ebx]
            //   8b8894000000         | mov                 ecx, dword ptr [eax + 0x94]
            //   85c9                 | test                ecx, ecx
            //   0f84c72e0000         | je                  0x2ecd

        $sequence_8 = { ff15???????? e9???????? 81ff801f0000 751a c7442408???????? 895c2404 893424 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   e9????????           |                     
            //   81ff801f0000         | cmp                 edi, 0x1f80
            //   751a                 | jne                 0x1c
            //   c7442408????????     |                     
            //   895c2404             | mov                 dword ptr [esp + 4], ebx
            //   893424               | mov                 dword ptr [esp], esi

        $sequence_9 = { bf00000000 83e004 0f45fa 0f94c1 897c2434 0fb603 84c0 }
            // n = 7, score = 100
            //   bf00000000           | mov                 edi, 0
            //   83e004               | and                 eax, 4
            //   0f45fa               | cmovne              edi, edx
            //   0f94c1               | sete                cl
            //   897c2434             | mov                 dword ptr [esp + 0x34], edi
            //   0fb603               | movzx               eax, byte ptr [ebx]
            //   84c0                 | test                al, al

    condition:
        7 of them and filesize < 1704960
}
Download all Yara Rules