Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now

A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices.

How to analyze Backdoor with ANY.RUN

Last Seen at

Recent blog posts

post image
Well done, ANY.RUN: Our Top Cybersecurity Awa...
watchers 218
comments 0
post image
How DFIR Analysts Use ANY.RUN Sandbox
watchers 312
comments 0
post image
How to Set up a Windows 11 Malware Sandbox
watchers 1121
comments 0

What is a backdoor?

A backdoor is a way of bypassing the standard authentication and security systems of a device or application in a stealthy manner. Backdoors can be intentionally created or unintentionally introduced.

Unintentional backdoors are usually the result of misconfigurations, coding errors, or design flaws. Intentional ones, on the other hand, can be implemented by developers of certain software or hardware for both legitimate and malicious purposes, including as a way to carry out maintenance and recovery.

In one instance of an intentional software backdoor, an attacker attempted to insert a backdoor into the code of XZ Utils, a set of tools for lossless data compression. The attacker had been actively contributing to the software's repository and eventually gained maintainer responsibilities, making it easier to introduce the malicious code. Learn more about it on ANY.RUN’s blog

Still, both types of backdoors can be exploited by threat actors for unauthorized access to an endpoint to conduct illicit activities such as data theft, system damage, or deployment of malicious payloads in the form of malware families.

There is also backdoor malware, which is malicious software utilized by criminals with the intention to extract sensitive data while hiding its presence on the system. Trojans are the primary category of malware selected by criminals for such operations. One of the most complex backdoor forms is rootkit malware that gains access to the kernel level of the system, which makes it difficult to detect. As a result, the use of a backdoor may not trigger any security alerts, as the attacker is using a legitimate, albeit unauthorized, entry point.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

What is a backdoor attack?

A backdoor attack is a type of cybersecurity breach that involves the exploitation of a backdoor to access a system without authorization. Backdoor attacks based on malware can be carried out in various ways, including:

  • Password-based attacks: Backdoors can be created through the means of brute forcing, which involves the use of combinations of default credentials that are typically hardcoded into the malicious software employed to gain privileges on a target system.
  • Vulnerability exploitation: Another common attack vector relies on breaking into a system by abusing vulnerabilities in its architecture or applications installed on it, creating a backdoor for third-party access.
  • Lateral movement attacks: For these attacks to be successful, an initial compromise of a device within the network is necessary. Once a backdoor has been established on the compromised device, the attacker can move laterally through the network undetected, potentially compromising additional systems and devices.

What does backdoor malware do to a computer?

The impact of a backdoor on an endpoint device can be considerable and lead to significant consequences for the organization affected by it, both in terms of its reputational and financial damage.

Depending on their functionality, backdoors allow attackers to perform a variety of malicious activities, including:

  • Steal sensitive data: Attackers can exfiltrate a wide range of information, including financial data, login credentials, and even crypto wallet recovery phrases. This can result in identity theft, exposure of confidential business information, and other unfavorable ramifications.
  • Install additional malware: Once a backdoor is established on the system, threat actors can install other malware, including keyloggers. It is usually done to inflict even more serious damage to the victim.
  • Modify or delete data: Criminals often add changes to the files on the system or completely delete them to disrupt the victim’s work and cause possible financial losses.
  • Spy on the victim: Backdoors can be used to conduct espionage activities, such as monitoring network traffic, intercepting communications, or recording keystrokes made on the infected device. Another common spying activity is recording videos via the web camera connected to the computer.

What are examples of backdoor malware families?

One of the malware families belonging to the backdoor type is PlugX. It is a malicious software that has been in existence since 2008. For over a decade, it has been a go-to choice for many Chinese state-affiliated advanced persistent threats (APTs), such as Mustang Panda. These threat actors typically use PlugX as part of their espionage operations. As a result, some of the core features of the malware include keylogging, data exfiltration, and capabilities like side-loading that let it evade detection by security solutions.

MadMxShell is another example of a backdoor malware. It leverages DNS MX queries to establish communication with its command and control (C2) server. This malware is capable of executing a range of malicious activities, including gathering system data and running commands via Cmd.exe. Learn more about and a campaign using Google Ads to spread on ANY.RUN’s blog.

How does backdoor malware work?

To observe a typical execution process of a backdoor malware, let’s upload a sample of PlugX into the ANY.RUN sandbox for in-depth analysis. View the analysis sessions by following this link

Plugx malware analysis ANY.RUN Process graph showing the execution chain of PlugX in ANY.RUN

The sandbox lets us observe the steps taken by the malware to fully deploy itself on the systems:

  • Step 1: PlugX drops a legitimate ESET EHttpSrv.exe file, renamed as esetservice.exe, onto the infected system, which has the functionality to collect files from the compromised device.
  • Step 2: The malware then abuses the dllhost process to run esetservice.exe as a service.
  • Step 3: Following privilege escalation, PlugX injects a run once command, establishing a connection to a C2.
  • Step 4: PlugX fully deploys on the devices and becomes ready to receive commands from the C2 server to begin its activity.

How does backdoor malware spread?

The delivery method depends on each backdoor malware type. For instance, PlugX is equipped with worm capabilities, allowing it to spread through USBs that come into contact with the infected machine.

However, in many cases, to deliver backdoor malware, attackers use social engineering techniques, such as phishing emails or fake software updates, to trick users into installing or enabling a backdoor.

How to prevent backdoor attack

To minimize the risk of suffering from backdoor attacks, organizations should implement robust security practices and take a proactive approach to cybersecurity. This also includes analyzing malicious and suspicious files and links in a sandbox environment. Thus, you will be able to not only assess if a certain file or URL poses a threat to your infrastructure, but also expose the latest TTPs and collect fresh indicators of compromise (IOCs).

ANY.RUN is a cloud-based sandbox platform that enables users to quickly and thoroughly investigate malware and other types of threats. With the ability to detect backdoor and other types of malware in under 40 seconds, users can quickly determine the potential threat level of the sample they are dealing with.

The platform provides access to interactive Windows and Linux virtual machines, allowing users to analyze malicious behavior in a safe and isolated environment. The service supplies detailed threat reports that include IOCs and a comprehensive overview of malicious network and registry activities and processes. This information can be used to better understand and respond to potential threats, and to protect sensitive data and assets.

Create your ANY.RUN account – it’s free!

HAVE A LOOK AT

Balada Injector screenshot
Balada Injector is a long-running malware campaign that targets WordPress websites by exploiting vulnerabilities in plugins and themes. The attackers inject malicious code into compromised sites, leading to unauthorized redirects, data theft, and the creation of [backdoors](https://any.run/malware-trends/backdoor) for persistent access. The campaign operates in waves, with spikes in activity observed every few weeks, continually adapting to exploit newly discovered vulnerabilities.
Read More
WarmCookie screenshot
WarmCookie
badspace
WarmCookie is a backdoor malware that cyber attackers use to gain initial access to targeted systems. It is often distributed through phishing emails, frequently using job recruitment lures to entice victims into downloading and executing the malware.
Read More