Friday, November 1, 2024
HomeMalwareFacefish Backdoor Steals Login Credentials & Execute Arbitrary Commands on Linux Systems

Facefish Backdoor Steals Login Credentials & Execute Arbitrary Commands on Linux Systems

Published on

Malware protection

The cybersecurity researchers of the Qihoo 360 NETLAB team have recently uncovered a new Linux backdoor, that has been dubbed as, “Facefish.” 

Experts have claimed that this new backdoor has the ability to steal user device information, login credentials, and even it can also execute arbitrary commands on the infected Linux systems.

By abusing this new Facefish backdoor a threat actor can encrypt the communications to the server controlled by the attacker with the help of Blowfish cipher. And not only that even it also allows an attacker to deliver several rootkits at distinct times.

- Advertisement - SIEM as a Service

Contents of Facefish backdoor

The Facefish backdoor is composed of primary two modules, and here they are mentioned below:-

  • Dropper
  • Rootkit

Here, the primary goal or function of the Rootkit module is to recognize the primary goal or function of the Facefish backdoor. With the help of LD_PRELOAD feature the Rootkit module gets load, and at the Ring 3 layer this module works.

By exploiting the LD_PRELOAD feature the Rootkit module of Facefish hooks the ssh/sshd program-related functions to steal the login credentials of the users on the affected systems.

Primary functions of Facefish

The primary functions of the Facefish backdoor are mentioned below:-

  • Upload device information
  • Stealing user credentials
  • Bounce Shell
  • Execute arbitrary commands

An earlier report of Juniper Networks explains about an attack chain that injects the SSH implants on Control Web Panel (CWP, formerly CentOS Web Panel) to exfiltrate essential data from the affected systems.

The researchers at NETLAB explains that the infection chain of Facefish backdoor can be divided into 3 stages, and here they are:-

  • In the 1st stage, through the implanted Dropper and vulnerability on the infected system, the Facefish spread its infection.
  • In the 2nd stage, the Dropper module of Facfish releases the Rootkit on the infected system.
  • The 3rd stage is the operational stage, and in this stage, the Rootkit module collects the sensitive information from the infected system and waits for the command-and-control (C2) server instructions to perform the execution process.

For the initial compromise, the definite vulnerability that is exploited by the attacker still remains unclear. But, the security analysts explain that the dropper module of Facefish comes with a set of pre-built tasks like:-

  • Detecting the runtime environment.
  • To get C2 information decrypting a configuration file.
  • Configuring the rootkit.
  • Starting the rootkit by injecting it into the “sshd.”

Moreover, the Rootkits may become a severe danger, as in the infected system it helps a threat actor to gain elevated privileges; and due to the elevated privileges, the attacker can also endanger the core operations of the OS.  

C2 commands

  • 0x300 – Report stolen credential information
  • 0x301 – Collect details of “uname” command
  • 0x302 – Run reverse shell
  • 0x310 – Execute any system command
  • 0x311 – Send the result of bash execution
  • 0x312 – Report host information

Apart from all these things, in February 2021, an ELF sample file was detected by the experts and after analysis of that ELF sample file, the recent verdicts of NETLAB have been published.

IOC

Sample MD5

38fb322cc6d09a6ab85784ede56bc5a7 sshins
d6ece2d07aa6c0a9e752c65fbe4c4ac2 libs.so

C2

176.111.174.26:443

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

ATPC Cyber Forum to Focus on Next Generation Cybersecurity and Artificial Intelligence Issues

White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...

Notorious WrnRAT Delivered Mimic As Gambling Games

WrnRAT is a new malware attack that cybercriminals have deployed by using popular gambling...