New malicious campaign spreading Windows and Linux backdoors

Telsy analyzed a new malicious campaign spreading Linux and Windows backdoors.

 

Introduction

This type of campaign starts by exploiting known vulnerabilities related to the target technologies and then performs lateral movement by uploading a web shell.

Attackers are adapting to the rapidly changing IT infrastructure of their targets by porting their existing Windows tools to Linux or developing new tools that support both platforms.

Unfortunately, the campaign does not have enough evidence to attribute it to a specific threat actor.

Nonetheless, it shows a continued attack on the supply-chain and therefore on third-party service providers, showing an interest in Personally Identifiable Information (PII) data.

Both backdoors, Windows and Linux, are intended to give the Command and Control (C2) access to the reverse shell of the infected system.

The IP and port of the C2 is dynamically retrieved by parsing the response obtained from an HTTP request to the first-stage Command & Control.

The Linux backdoor is developed in “C Programming Language” using standard system calls while the Windows backdoor is developed in “Golang” and packed with UPX.

It is likely that subsequent malware developments may lead to a single compilable code for both operating systems.

 

Fill the form below to download the full report

[email-download download_id=”5467” contact_form_id=”4482”]

 

Check other cyber reports on our blog.

This report was produced by Telsy’s “Cyber Threat Intelligence” team with the help of its CTI platform, which allows to analyze and stay updated on adversaries and threats that could impact customers’ business.

2
1