Stitch Backdoor

Stitch is an open-source backdoor coded in Python that was created for educational and research purposes. Still, the program is capable of carrying out all of the usual activities observed in similar RAT(Remote Access Trojan) malware threats perfectly. The Stitch Backdoor has cross-platform capabilities, as well as the option for the hackers to create custom payloads that only will work on the OS that they were built on. 

Among the most notable cross-platform functions carried out by the Stitch Backdoor are the dumping of Chrome passwords, enabling or disabling of certain services such as Remote Desktop Protocol (RDP), User Account Control (UAC), and Windows Defender, creation of custom pop-up windows, the collection of information about the connected drives and the summary of some Registry values. Furthermore, it can take control of any connected camera and take snapshots. Stitch also has specific functions that are available depending on the OS of the victim - Windows, Mac OSX or Linux. The entire communication between the attack host and the victim is encrypted with the AES encryption algorithm. 

Stitch was Part of Water-Hole Attack Campaign

Cybersecurity researchers observed modified versions of the Stitch Backdoor being dropped in a water-hole style attack executed by a group of hackers that have been named the Holy Water APT. The campaign targeted an Asian religious and ethnic group. To better suit their needs, the criminals expanded the Stitch's underlying code to include the download of a legitimate Adobe Flash installation program. An auto-update ability also was implemented by connecting to ubntrooters.serveuser.com at startup. The Holy Water APT also improved the malware's persistence by leveraging scheduled tasks with a logon task named Adobe Updater, which led to C:\ProgramData\package\AdobeService.exe.