Security experts at Kaspersky Lab have discovered a new Cross-Platform backdoor dubbed DropboxCache Backdoor ported from Linux to Window.
Security experts at Kaspersky Lab have discovered a new Cross-Platform backdoor dubbed DropboxCache (Backdoor.Linux.Mokes.a), initially affecting Linux systems and now migrated to Windows. The backdoor allows attackers to gain complete control over the victim’s machine, it also implements a capture audio feature. To achieve the portability of the DropboxCache backdoor, authors have used C++ and Qt, a common choice in the development community.
The experts at Kaspersky noticed that the authors didn’t put effort into implement obfuscating techniques, the analysis of the source code allowed investigators to find the IP address of the command and control (C&C) server hardcoded into the source code, the malware contact the server every minute.
The authors digitally signed the code with a trusted certificate issued by COMODO RSA Code Signing CA, but Kaspersky did reveal the name of the entity that issued the certificate.
“Next, it connects to its hardcoded C&C Server. From this point, it performs an http request every minute. This “heartbeat” request replies with a one-byte image. To upload and receive data and commands, it connects to TCP port 433 using a custom protocol and AES encryption.”
A few days ago, the experts spotted a second backdoor called OLMyJuxM.exe(Backdoor.Win32.Mokes.imv) infecting Windows machine. The analysis of this strain of malware allowed the experts at Kaspersky to discover that this backdoor is a 32-bit Windows variant of the DropboxCache backdoor.
“Just a few days ago, we came across a rather familiar looking sample, although it was compiled for machines running Microsoft Windows. It quickly turned out to be a 32-bit Windows variant of Backdoor.Linux.Mokes.a.” continues the post.
The Windows variant of the DropboxCache backdoor uses the same filename templates to save the obtained audio captures, screenshot, keylogs and other data. Unilike the Linux variant, the strain for Windows enable the Keylogging feature at the startup.
What about the future?
Experts speculate that we will find soon a Mac OS X variant in the wild.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.