
The function backd00r1t_backdoor_SocketConnectionHandle is responsible for handling all the commands supported by this RAT and first calls to backd00r1t_backdoor_printMotd for displaying such information: Once the connection to C&C succeeds, the attacker gets the context information listed below. The mentioned handler helps to keep the bot connected and also allows the attacker to remotely follow the execution trace.
#LINUX CONSOLE VIRUSTOTAL UPLOADER CODE#
The comments and strings in the code are mostly written in English but often grammatically incorrect.
#LINUX CONSOLE VIRUSTOTAL UPLOADER INSTALL#
Some commands ( upload, basharchive, bashupload and so on) allow it to steal arbitrary files and information, install other malware in the system or run arbitrary commands ( run, run-binary, etc.) and take screenshots of the user activity ( screenshot, ssfile and so on).Įvidence indicates that the Backdoorit developer is not a native English speaker, further pointing to a possible Russian threat actor.

In many places in the code it’s also referred to as backd00rit.īased on the close inspection of the analyse-full command of Backdoorit, we concluded that the main purpose of this malware is stealing Minecraft related files, Visual Studio and Intellij projects.īut the malware is not limited just to those files. Analyzing Backdooritīackdoorit (version 2578125) is a multiplatform RAT written in Go programming language and supporting both Windows and Linux/Unix operating systems. Both of these malware strains are multiplatform bots compiled for many different processor architectures and written in the Go programming language.
