[dahart]

Yes, right, that's correct. The infection vector itself is precisely what is known as the "back door". That's the point. Back doors are the vector, whereas with phishing the user is the vector.

The definition of a backdoor is an attack that bypasses security and doesn't require user input. The definition of phishing is an attack that requires user input, by tricking the user into using their own credentials to authorize access.

Back doors can be opened intentionally or unintentionally by whoever designed or setup the system, but they allow an attacker to get in without involving any input or action from a legitimate user of the system.

Phishing is a way to infect a device with malware by tricking the user into installing the malware. That's exactly what happened here. GhostCtrl is malware that infects via phishing, because it requires the user to authorize it, and it does not have an attack vector it can use without the user's authorization.

It sounds like we're all straightened out and in agreement?

[fulafel]

No, the infection vector, eg phishing or browser exploit or trojan or whatever, is what enables a back door to be installed. The back door is not an infection vector, it is the payload.

Yes, there is a type of back door that is factory installed as part of the dev process of an otherwise legitimate product. But in the context of malware, the backdoor is a payload that enables malicious remote access. Like the glossary entry I linked explains.

[dahart]

Yes it is possible to install a back door, after you've gained access. I'm fine with calling GhostCtrl a phishing attack that installs a back door. The big question here is which part of the attack elevates access to user or root level?

The miscommunication here between us is that you're looking at what GhostCtrl does after it already gained access. Because the first point of contact, the initial entry point, is using the security systems as they were designed to be used, and tricking the user into granting access to the malicious software, the attack as a whole is a phishing attack. As I understand it, the payload is not by itself elevating access, it is using access the user granted to do bad things, not achieving a higher access level.

The payload of an attack of any sort is not commonly understood to be the "back door", I think you're slightly off the mark there. You're not wrong, but you're going to have trouble talking to other people if you keep insisting on this, because the common understanding of a back door is that it's a way of getting in, by bypassing security. It's normally defined as a way of initiating an attack, not the malicious result of an already complete attack.

The only way to define a back door as you have is to have another attack in front of it. If the back door is the payload, then you have to deliver and execute the payload somehow. In the case of GhostCtrl, that mechanism is phishing.

[fulafel]

If you scroll back, this started with "Why is this being called a backdoor? Is there any indication that that's what it is?". I linked to a glossary entry I think reflects the common usage in malware context.

Any payload is not a back door, payloads can be also ransomware, ddos bots, etc.

[dahart]

Okay, I think we're agreeing on the definition. You do agree that this particular backdoor depends on a successful phishing attack, right?

FWIW, I don't think that glossary entry you linked is very good. It calls a backdoor an application, but a backdoor is not always an application -- which I think you already know & mentioned in this thread. A RAT (remote access tool) is definitely not synonymous with backdoor in the common understanding. A backdoor can also be an open port, a bad password, or a variety of other entry methods. Wikipedia's entry on backdoor is better than the one you linked. https://en.m.wikipedia.org/wiki/Backdoor_(computing)

If a backdoor were always an application, and that was the common definition, then I think the question above wouldn't have been asked. One problem is that backdoor sometimes implies a vulnerability exists before any malware is installed. To call something a backdoor can send the wrong message about what someone concerned about this should do to mitigate the risks. Knowing it's a phishing attack is pretty important because it means you can and should be suspicious of apps asking for credentials and permissions. If you think it's primarily a back door, you might wrongly assume that you need to update a security patch, or that there's nothing you can do to reduce your risks.

This is why I believe @debatem1's question is reasonable and agree with it - to title this a backdoor is technically true, but it seems misleading.

[fulafel]

I think this is going around in circles: we already covered the backdoor term in malware vs product name in contexts, and the payload vs phishing thing. If you Google for backdoor payloads, you see that it is common usage.