Skip to main content
Customer Support Customer Support

From Linux to Windows – New Family of Cross-Platform Desktop Backdoors Discovered

  • January 29, 2016
  • 1 reply
  • 0 views
Jasper_The_Rasper
Moderator
Forum|alt.badge.img+54
By Stefan Ortloff on January 29, 2016
 

Background

 
Recently we came across a new family of cross-platform backdoors for desktop environments. First we got the Linux variant, and with information extracted from its binary, we were able to find the variant for Windows desktops, too. Not only that, but the Windows version was additionally equipped with a valid code signing signature. Let´s have a look at both of them.
 

DropboxCache aka Backdoor.Linux.Mokes.a

 
This backdoor for Linux-based operating systems comes packed via UPX and is full of features to monitor the victim’s activities, including code to capture audio and take screenshots.
 


 
After its first execution, the binary checks its own file path and, if necessary, copies itself to one of the following locations:
  • $HOME/$QT-GenericDataLocation/.mozilla/firefox/profiled
  • $HOME/$QT-GenericDataLocation/.dropbox/DropboxCache
One example would be this location: $HOME/.local/share/.dropbox/DropboxCache. To achieve persistence, it uses this not very stealthy method: it just creates a .desktop-file in $HOME/.config/autostart/$filename.desktop. Here’s the template for this:
 
Full Article
    Baldrick
    Ssherjj

    1 reply

    Baldrick
    Gold VIP
    • Baldrick
    • Gold VIP
    • January 29, 2016
    Sounds a bit like bird flu, what with the speicies jumping aspects...is there no end to the creativity of the miscreants from the Dark Side? :(
    Webroot SecureAnywhere Complete Beta Tester v9.0.24.49, imaged by Macrium Reflect v7.2
    Jasper_The_Rasper
    Ssherjj
    Terms & ConditionsAccessibility statement