Attackers Continue to Make Hay with Backdoor Malware

The looming threat of backdoor malware continues to strike organizations and is especially worrisome as it often goes undetected for several months. This allows cybercriminals to gain persistence on corporate networks with ample opportunity to steal data and gain better insights into how systems communicate. 

A peek into the current backdoor landscape

Over the past few months, researchers came across different new modular backdoor malware capable of doing more than just dropping malware. 
  • The notorious OceanLotus threat actor group was identified using a backdoor named Backdoor.MacOS.OCEANLOTUS.F that provided the ability to snoop on and steal confidential information from targeted systems.
  • Last month, a new Jupyter malware—a blend of infostealer and backdoor—emerged in the wild. It targets browsers such as Chromium, Firefox, and Chrome to steal data, precisely, users’ login credentials. 
  • In the first half of November, ESET researchers shared details about a new backdoor called ModPipe, which gives its operators access to sensitive data stored in POS systems. One of the distinctive features of the malware is the ‘GetMicInfo’ module that enables attackers to gather database passwords by decrypting them from Windows registry values. 
  • During the same time period, Sophos uncovered a new KillSomeOne backdoor used by Chinese adversaries to target non-governmental organizations in Myanmar. The backdoor ultimately dropped a new variant of PlugX trojan on infected systems.
 

Worth noting

In addition to the discovery of new backdoor malware, researchers found two new undocumented malicious backdoors from the past. 
  • One of them is tracked as PowerPepper, a backdoor developed by the hacker-for-hire group DeathStalker. The PowerShell-based implant was first discovered in May and, since then, it has been under constant development with new versions. 
  • The other backdoor is Crutch, associated with the Turla APT group. According to ESET researchers, the malware was used from 2015 to at least early 2020. 

What else to worry about?

The malicious backdoors are not only growing in numbers, but there has also been a significant change in propagation techniques. 
  • In one case, threat actors promoted a free tool named symchanger.php on Facebook as a part of the attack campaign that tricked users into installing a backdoor.   
  • Fake npm packages that posed as Twilio were also used to distribute backdoors. The malicious packages were downloaded more than 370 times before they were removed by security experts. 

The bottom line

Backdoor attacks present a considerable threat to businesses. Therefore, understanding how they are launched and how they can be prevented can help organizations strengthen their security mechanisms.