Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Share Post: Reddit Facebook
Researchers Warn of Facefish Backdoor Spreading Linux Rootkits
#1        Researchers Warn of Facefish Backdoor Spreading Linux Rootkits
May 28, 2021Ravie Lakshmanan          Cybersecurity researchers have disclosed a new backdoor program capable of stealing user login credentials, device information and executing arbitrary commands on Linux systems.

The malware dropper has been dubbed "Facefish" by Qihoo 360 NETLAB team owing its capabilities to deliver different rootkits at different times and the use of Blowfish cipher to encrypt communications to the attacker-controlled server.

"Facefish consists of 2 parts, Dropper and Rootkit, and its main function is determined by the Rootkit module, which works at the Ring 3 layer and is loaded using the LD_PRELOAD feature to steal user login credentials by hooking ssh/sshd program related functions, and it also supports some backdoor functions," the researchers said.

The NETLAB research builds on a previous analysis published by Juniper Networks on April 26, which documented an attack chain targeting Control Web Panel (CWP, formerly CentOS Web Panel) to inject an SSH implant with data exfiltration capabilities.

Facefish goes through a multi-stage infection process, which commences with a command injection against the CWP to retrieve a dropper ("sshins") from a remote server, which then releases a rootkit that ultimately takes charge of collecting and transmitting sensitive information back to the server, in addition to awaiting further instructions issued by the command-and-control (C2) server.        For its part, the dropper comes with its own set of tasks, chief among being detecting the runtime environment, decrypting a configuration file to get C2 information, configuring the rootkit, and starting the rootkit by injecting it into the secure shell server process (sshd).

Rootkits are particularly dangerous as they allow attackers to gain elevated privileges in the system, allowing them to interfere with core operations conducted by the underlying operating system. This ability of rootkits to camouflage into the fabric of the operating system gives attackers a high level of stealth and evasion.

Facefish also employs a complex communication protocol and encryption algorithm, using instructions starting with 0x2XX to exchange public keys and BlowFish for encrypting communication data with the C2 server. Some of the C2 commands sent by the server are as follows -

    0x300 - Report stolen credential information
    0x301 - Collect details of "uname" command
    0x302 - Run reverse shell
    0x310 - Execute any system command
    0x311 - Send the result of bash execution
    0x312 - Report host information

NETLAB's findings come from an analysis of an ELF sample file it detected in February 2021.

Possibly Related Threads…
Thread Author Replies Views Last Post
  Malware-as-a-service is spreading among teens mrtrout 0 353 06-30-2022 , 03:31 AM
Last Post: mrtrout
  New SideWalk Backdoor Targeting U.S. Computer Retailers mrtrout 0 357 08-27-2021 , 01:22 AM
Last Post: mrtrout
  New Variant of IcedID Banking Trojan Spreading Wildely mrtrout 0 447 06-29-2021 , 11:24 PM
Last Post: mrtrout
  Bizarro Banking Trojan Sports Sophisticated Backdoor Bjyda 0 450 05-23-2021 , 09:22 PM
Last Post: Bjyda
  US and Australia warn of escalating Avaddon ransomware attacks mrtrout 0 572 05-11-2021 , 09:57 AM
Last Post: mrtrout

Forum Jump:

Users browsing this thread: 1 Guest(s)