Wednesday, April 24, 2024

Facefish Backdoor Steals Login Credentials & Execute Arbitrary Commands on Linux Systems

The cybersecurity researchers of the Qihoo 360 NETLAB team have recently uncovered a new Linux backdoor, that has been dubbed as, “Facefish.” 

Experts have claimed that this new backdoor has the ability to steal user device information, login credentials, and even it can also execute arbitrary commands on the infected Linux systems.

By abusing this new Facefish backdoor a threat actor can encrypt the communications to the server controlled by the attacker with the help of Blowfish cipher. And not only that even it also allows an attacker to deliver several rootkits at distinct times.

Contents of Facefish backdoor

The Facefish backdoor is composed of primary two modules, and here they are mentioned below:-

  • Dropper
  • Rootkit

Here, the primary goal or function of the Rootkit module is to recognize the primary goal or function of the Facefish backdoor. With the help of LD_PRELOAD feature the Rootkit module gets load, and at the Ring 3 layer this module works.

By exploiting the LD_PRELOAD feature the Rootkit module of Facefish hooks the ssh/sshd program-related functions to steal the login credentials of the users on the affected systems.

Primary functions of Facefish

The primary functions of the Facefish backdoor are mentioned below:-

  • Upload device information
  • Stealing user credentials
  • Bounce Shell
  • Execute arbitrary commands

An earlier report of Juniper Networks explains about an attack chain that injects the SSH implants on Control Web Panel (CWP, formerly CentOS Web Panel) to exfiltrate essential data from the affected systems.

The researchers at NETLAB explains that the infection chain of Facefish backdoor can be divided into 3 stages, and here they are:-

  • In the 1st stage, through the implanted Dropper and vulnerability on the infected system, the Facefish spread its infection.
  • In the 2nd stage, the Dropper module of Facfish releases the Rootkit on the infected system.
  • The 3rd stage is the operational stage, and in this stage, the Rootkit module collects the sensitive information from the infected system and waits for the command-and-control (C2) server instructions to perform the execution process.

For the initial compromise, the definite vulnerability that is exploited by the attacker still remains unclear. But, the security analysts explain that the dropper module of Facefish comes with a set of pre-built tasks like:-

  • Detecting the runtime environment.
  • To get C2 information decrypting a configuration file.
  • Configuring the rootkit.
  • Starting the rootkit by injecting it into the “sshd.”

Moreover, the Rootkits may become a severe danger, as in the infected system it helps a threat actor to gain elevated privileges; and due to the elevated privileges, the attacker can also endanger the core operations of the OS.  

C2 commands

  • 0x300 – Report stolen credential information
  • 0x301 – Collect details of “uname” command
  • 0x302 – Run reverse shell
  • 0x310 – Execute any system command
  • 0x311 – Send the result of bash execution
  • 0x312 – Report host information

Apart from all these things, in February 2021, an ELF sample file was detected by the experts and after analysis of that ELF sample file, the recent verdicts of NETLAB have been published.


Sample MD5

38fb322cc6d09a6ab85784ede56bc5a7 sshins


You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.


Latest articles

Phishing Attacks Rise By 58% As The Attackers Leverage AI Tools

AI-powered generative tools have supercharged phishing threats, so even newbie attackers can effortlessly create...

Multiple MySQL2 Flaw Let Attackers Arbitrary Code Remotely

The widely used MySQL2 has been discovered to have three critical vulnerabilities: remote Code...

CoralRaider Hacker Evade Antivirus Detections Using Malicious LNK File

This campaign is observed to be targeting multiple countries, including the U.S., Nigeria, Germany,...

Spyroid RAT Attacking Android Users to Steal Confidential Data

A new type of Remote Access Trojan (RAT) named Spyroid has been identified.This...

Researchers Uncover that UK.GOV Websites Sending Data to Chinese Ad Vendor Analysts

Analysts from Silent Push, a data analytics firm, have uncovered several UK government websites...

Ransomware Victims Who Opt To Pay Ransom Hits Record Low

Law enforcement operations disrupted BlackCat and LockBit RaaS operations, including sanctions on LockBit members...

IBM Nearing Talks to Acquire Cloud-software Provider HashiCorp

IBM is reportedly close to finalizing negotiations to acquire HashiCorp, a prominent cloud infrastructure...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.


Mastering WAAP/WAF ROI Analysis

As the importance of compliance and safeguarding critical websites and APIs grows, Web Application and API Protection (WAAP) solutions play an integral role.
Key takeaways include:

  • Pricing models
  • Cost Estimation
  • ROI Calculation

Related Articles