Tuesday, September 10, 2024
HomeMalwareFacefish Backdoor Steals Login Credentials & Execute Arbitrary Commands on Linux Systems

Facefish Backdoor Steals Login Credentials & Execute Arbitrary Commands on Linux Systems

Published on

The cybersecurity researchers of the Qihoo 360 NETLAB team have recently uncovered a new Linux backdoor, that has been dubbed as, “Facefish.” 

Experts have claimed that this new backdoor has the ability to steal user device information, login credentials, and even it can also execute arbitrary commands on the infected Linux systems.

By abusing this new Facefish backdoor a threat actor can encrypt the communications to the server controlled by the attacker with the help of Blowfish cipher. And not only that even it also allows an attacker to deliver several rootkits at distinct times.

- Advertisement - EHA

Contents of Facefish backdoor

The Facefish backdoor is composed of primary two modules, and here they are mentioned below:-

  • Dropper
  • Rootkit

Here, the primary goal or function of the Rootkit module is to recognize the primary goal or function of the Facefish backdoor. With the help of LD_PRELOAD feature the Rootkit module gets load, and at the Ring 3 layer this module works.

By exploiting the LD_PRELOAD feature the Rootkit module of Facefish hooks the ssh/sshd program-related functions to steal the login credentials of the users on the affected systems.

Primary functions of Facefish

The primary functions of the Facefish backdoor are mentioned below:-

  • Upload device information
  • Stealing user credentials
  • Bounce Shell
  • Execute arbitrary commands

An earlier report of Juniper Networks explains about an attack chain that injects the SSH implants on Control Web Panel (CWP, formerly CentOS Web Panel) to exfiltrate essential data from the affected systems.

The researchers at NETLAB explains that the infection chain of Facefish backdoor can be divided into 3 stages, and here they are:-

  • In the 1st stage, through the implanted Dropper and vulnerability on the infected system, the Facefish spread its infection.
  • In the 2nd stage, the Dropper module of Facfish releases the Rootkit on the infected system.
  • The 3rd stage is the operational stage, and in this stage, the Rootkit module collects the sensitive information from the infected system and waits for the command-and-control (C2) server instructions to perform the execution process.

For the initial compromise, the definite vulnerability that is exploited by the attacker still remains unclear. But, the security analysts explain that the dropper module of Facefish comes with a set of pre-built tasks like:-

  • Detecting the runtime environment.
  • To get C2 information decrypting a configuration file.
  • Configuring the rootkit.
  • Starting the rootkit by injecting it into the “sshd.”

Moreover, the Rootkits may become a severe danger, as in the infected system it helps a threat actor to gain elevated privileges; and due to the elevated privileges, the attacker can also endanger the core operations of the OS.  

C2 commands

  • 0x300 – Report stolen credential information
  • 0x301 – Collect details of “uname” command
  • 0x302 – Run reverse shell
  • 0x310 – Execute any system command
  • 0x311 – Send the result of bash execution
  • 0x312 – Report host information

Apart from all these things, in February 2021, an ELF sample file was detected by the experts and after analysis of that ELF sample file, the recent verdicts of NETLAB have been published.

IOC

Sample MD5

38fb322cc6d09a6ab85784ede56bc5a7 sshins
d6ece2d07aa6c0a9e752c65fbe4c4ac2 libs.so

C2

176.111.174.26:443

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Chinese Hackers Using Open Source Tools To Launch Cyber Attacks

Three Chinese state-backed threat groups, APT10, GALLIUM, and Stately Taurus, have repeatedly employed a...

Small Business, Big Threats: INE Security Launches Initiative to Train SMBs to Close a Critical Skills Gap

As cyber threats grow, small to medium-sized businesses (SMBs) are disproportionately targeted. According to...

Researchers Details Attacks On Air-Gaps Computers To Steal Data

The air-gap data protection method isolates local networks from the internet to mitigate cyber...

Beware Of Malicious Chrome Extension That Delivers Weaponized ZIP Archive

In August 2024, researchers detected a malicious Google Chrome browser infection that led to...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

Beware Of Malicious Chrome Extension That Delivers Weaponized ZIP Archive

In August 2024, researchers detected a malicious Google Chrome browser infection that led to...

Predator Spyware Exploiting “one-click” & “zero-click” Flaws

Recent research indicates that the Predator spyware, once thought to be inactive due to...

Researchers Unpacked AvNeutralizer EDR Killer Used By FIN7 Group

FIN7 (aka Carbon Spider, ELBRUS, Sangria Tempest) is a Russian APT group that is...