Malware is a growing problem for both Windows and Linux-based systems, and it's important for businesses and IT professionals to stay informed about the latest indicators of compromise (IOCs). Recently, a new backdoor malware strain has been discovered that targets both Windows and Linux-based systems. This malware, known as KEYPLUG, is designed to evade detection and has been found to be extremely effective at doing so.

KEYPLUG is a type of malware that is designed to access a system without the user’s knowledge or permission. Once installed, the malware is capable of collecting system information, executing malicious code, and establishing a backdoor connection to a remote command-and-control (C&C) server.

Fortunately, security researchers have identified several indicators of compromise (IOCs) associated with KEYPLUG. For Windows systems, these include the presence of a specific registry key, a system service, and a malicious file. On Linux-based systems, the malicious file and a cronjob are the primary IOCs associated with KEYPLUG.

The registry key is located in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry path and is used to execute the malicious code. The system service is named “gfsservice” and can be found in the Services Control Manager. The malicious file is named “keyplug.exe” and is located in the user’s home directory. On Linux-based systems, the malicious file is named “keyplug” and is located in the /tmp directory. The cronjob is used to periodically execute the malicious code.

It is important for businesses and IT professionals to be aware of the latest indicators of compromise associated with malware like KEYPLUG. By monitoring for these IOCs, organizations can quickly identify and respond to any malicious activity on their systems. Additionally, organizations should ensure that their systems are kept up-to-date with the latest security patches and that a comprehensive security solution is in place to prevent, detect, and respond to any malicious activity.