Pierluigi Paganini February 02, 2016

Security experts at Kaspersky Lab have discovered a new Cross-Platform backdoor dubbed DropboxCache Backdoor ported from Linux to Window.

Security experts at Kaspersky Lab have discovered a new Cross-Platform backdoor dubbed DropboxCache (Backdoor.Linux.Mokes.a), initially affecting Linux systems and now migrated to Windows. The backdoor allows attackers to gain complete control over the victim’s machine, it also implements a capture audio feature. To achieve the portability of the DropboxCache backdoor, authors have used C++ and Qt, a common choice in the development community.

The experts at Kaspersky noticed that the authors didn’t put effort into implement obfuscating techniques, the analysis of the source code allowed investigators to find the IP address of the command and control (C&C) server hardcoded into the source code, the malware contact the server every minute.

The authors digitally signed the code with a trusted certificate issued by COMODO RSA Code Signing CA, but Kaspersky did reveal the name of the entity that issued the certificate.

“Next, it connects to its hardcoded C&C Server. From this point, it performs an http request every minute. This “heartbeat” request replies with a one-byte image. To upload and receive data and commands, it connects to TCP port 433 using a custom protocol and AES encryption.”

A few days ago, the experts spotted a second backdoor called OLMyJuxM.exe(Backdoor.Win32.Mokes.imv) infecting Windows machine. The analysis of this strain of malware allowed the experts at Kaspersky to discover that this backdoor is a 32-bit Windows variant of the DropboxCache backdoor.

“Just a few days ago, we came across a rather familiar looking sample, although it was compiled for machines running Microsoft Windows. It quickly turned out to be a 32-bit Windows variant of Backdoor.Linux.Mokes.a.” continues the post.

The Windows variant of the DropboxCache backdoor uses the same filename templates to save the obtained audio captures, screenshot, keylogs and other data. Unilike the Linux variant, the strain for Windows enable the Keylogging feature at the startup.

What about the future?

Experts speculate that we will find soon a Mac OS X variant in the wild.

(Security Affairs – DropboxCache backdoor, malware)