The shell allows the threat actor to remotely execute arbitrary commands. The function backd00r1t_backdoor_SocketConnectionHandle is responsible for handling all the commands supported by this RAT and first calls to backd00r1t_backdoor_printMotd for displaying such information: Once the connection to C&C succeeds, the attacker gets the context information listed below. The mentioned handler helps to keep the bot connected and also allows the attacker to remotely follow the execution trace. It closes the connection with the C&C server.It first sends the logs to the endpoint /api/logs of the C&C server with a JSON request structure as defined in the function: backd00r1t_api_SendLogs. In such case backd00r1t_backdoor_handlePanic handles the exception and performs the following actions: Those logs can be uploaded to the server of the attacker either by using uploadlogs and uploadlogs-file shell commands or automatically in case a Go panic exception is raised. The malware logs all executed operations and taken steps via a set of backd00r1t_logging_* functions. It then continuously tries to connect to a C&C server to give the attacker access to a shell. We also discovered some isolated strings written in the Russian language.Īfter running Backdoorit the RAT retrieves some basic environment information such as the current operating system and the name of the user. For instance, we found the message: “An confirmation required, run ”. The comments and strings in the code are mostly written in English but often grammatically incorrect. Some commands ( upload, basharchive, bashupload and so on) allow it to steal arbitrary files and information, install other malware in the system or run arbitrary commands ( run, run-binary, etc.) and take screenshots of the user activity ( screenshot, ssfile and so on).Įvidence indicates that the Backdoorit developer is not a native English speaker, further pointing to a possible Russian threat actor. In many places in the code it’s also referred to as backd00rit.īased on the close inspection of the analyse-full command of Backdoorit, we concluded that the main purpose of this malware is stealing Minecraft related files, Visual Studio and Intellij projects.īut the malware is not limited just to those files. Analyzing Backdooritīackdoorit (version 2578125) is a multiplatform RAT written in Go programming language and supporting both Windows and Linux/Unix operating systems. Both of these malware strains are multiplatform bots compiled for many different processor architectures and written in the Go programming language.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |