Wednesday, April 30, 2025
HomeMalwareFacefish Backdoor Steals Login Credentials & Execute Arbitrary Commands on Linux Systems

Facefish Backdoor Steals Login Credentials & Execute Arbitrary Commands on Linux Systems

Published on

SIEM as a Service

Follow Us on Google News

The cybersecurity researchers of the Qihoo 360 NETLAB team have recently uncovered a new Linux backdoor, that has been dubbed as, “Facefish.” 

Experts have claimed that this new backdoor has the ability to steal user device information, login credentials, and even it can also execute arbitrary commands on the infected Linux systems.

By abusing this new Facefish backdoor a threat actor can encrypt the communications to the server controlled by the attacker with the help of Blowfish cipher. And not only that even it also allows an attacker to deliver several rootkits at distinct times.

- Advertisement - Google News

Contents of Facefish backdoor

The Facefish backdoor is composed of primary two modules, and here they are mentioned below:-

  • Dropper
  • Rootkit

Here, the primary goal or function of the Rootkit module is to recognize the primary goal or function of the Facefish backdoor. With the help of LD_PRELOAD feature the Rootkit module gets load, and at the Ring 3 layer this module works.

By exploiting the LD_PRELOAD feature the Rootkit module of Facefish hooks the ssh/sshd program-related functions to steal the login credentials of the users on the affected systems.

Primary functions of Facefish

The primary functions of the Facefish backdoor are mentioned below:-

  • Upload device information
  • Stealing user credentials
  • Bounce Shell
  • Execute arbitrary commands

An earlier report of Juniper Networks explains about an attack chain that injects the SSH implants on Control Web Panel (CWP, formerly CentOS Web Panel) to exfiltrate essential data from the affected systems.

The researchers at NETLAB explains that the infection chain of Facefish backdoor can be divided into 3 stages, and here they are:-

  • In the 1st stage, through the implanted Dropper and vulnerability on the infected system, the Facefish spread its infection.
  • In the 2nd stage, the Dropper module of Facfish releases the Rootkit on the infected system.
  • The 3rd stage is the operational stage, and in this stage, the Rootkit module collects the sensitive information from the infected system and waits for the command-and-control (C2) server instructions to perform the execution process.

For the initial compromise, the definite vulnerability that is exploited by the attacker still remains unclear. But, the security analysts explain that the dropper module of Facefish comes with a set of pre-built tasks like:-

  • Detecting the runtime environment.
  • To get C2 information decrypting a configuration file.
  • Configuring the rootkit.
  • Starting the rootkit by injecting it into the “sshd.”

Moreover, the Rootkits may become a severe danger, as in the infected system it helps a threat actor to gain elevated privileges; and due to the elevated privileges, the attacker can also endanger the core operations of the OS.  

C2 commands

  • 0x300 – Report stolen credential information
  • 0x301 – Collect details of “uname” command
  • 0x302 – Run reverse shell
  • 0x310 – Execute any system command
  • 0x311 – Send the result of bash execution
  • 0x312 – Report host information

Apart from all these things, in February 2021, an ELF sample file was detected by the experts and after analysis of that ELF sample file, the recent verdicts of NETLAB have been published.

IOC

Sample MD5

38fb322cc6d09a6ab85784ede56bc5a7 sshins
d6ece2d07aa6c0a9e752c65fbe4c4ac2 libs.so

C2

176.111.174.26:443

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Researchers Uncover SuperShell Payloads and Various Tools in Hacker’s Open Directories

Cybersecurity researchers at Hunt have uncovered a server hosting advanced malicious tools, including SuperShell...

Cyber Espionage Campaign Targets Uyghur Exiles with Trojanized Language Software

A sophisticated cyberattack targeted senior members of the World Uyghur Congress (WUC), the largest...

Konni APT Deploys Multi-Stage Malware in Targeted Organizational Attacks

A sophisticated multi-stage malware campaign, potentially orchestrated by the North Korean Konni Advanced Persistent...

Outlaw Cybergang Launches Global Attacks on Linux Environments with New Malware

The Outlaw cybergang, also known as “Dota,” has intensified its global assault on Linux...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Konni APT Deploys Multi-Stage Malware in Targeted Organizational Attacks

A sophisticated multi-stage malware campaign, potentially orchestrated by the North Korean Konni Advanced Persistent...

Outlaw Cybergang Launches Global Attacks on Linux Environments with New Malware

The Outlaw cybergang, also known as “Dota,” has intensified its global assault on Linux...

New Gremlin Stealer Advertised on Hacker Forums Targets Credit Card Data and Login Credentials

A formidable new information-stealing malware dubbed Gremlin Stealer has surfaced in the cybercrime underground,...