Facefish Backdoor Steals Login Credentials & Execute Arbitrary Commands on Linux Systems


In the 1st phase, through the implanted Dropper and vulnerability on the infected system, the Facefish spread its infection.
In the 2nd stage, the Dropper module of Facfish launches the Rootkit on the contaminated system.
The 3rd stage is the operational stage, and in this phase, the Rootkit module gathers the sensitive information from the contaminated system and waits for the command-and-control (C2) server instructions to carry out the execution procedure.

Contents of Facefish backdoor.

Specialists have declared that this brand-new backdoor has the ability to steal user device info, login qualifications, and even it can likewise perform approximate commands on the infected Linux systems.

The primary functions of the Facefish backdoor are discussed below:-.

Main functions of Facefish.

The scientists at NETLAB discusses that the infection chain of Facefish backdoor can be divided into 3 stages, and here they are:-.

By making use of the LD_PRELOAD function the Rootkit module of Facefish hooks the ssh/sshd program-related functions to steal the login credentials of the users on the impacted systems.

An earlier report of Juniper Networks describes about an attack chain that injects the SSH implants on Control Web Panel (CWP, formerly CentOS Web Panel) to exfiltrate vital information from the affected systems.

Here, the main goal or function of the Rootkit module is to recognize the primary goal or function of the Facefish backdoor. With the help of LD_PRELOAD feature the Rootkit module gets load, and at the Ring 3 layer this module works.

Discovering the runtime environment.
To get C2 information decrypting a configuration file.
Setting up the rootkit.
Starting the rootkit by injecting it into the “sshd.”.

Upload device details.
Taking user credentials.
Bounce Shell.
Carry out arbitrary commands.

The Facefish backdoor is made up of main two modules, and here they are pointed out below:-.

C2 commands.

For the preliminary compromise, the definite vulnerability that is made use of by the attacker still remains uncertain. But, the security analysts describe that the dropper module of Facefish features a set of pre-built tasks like:-.

By abusing this brand-new Facefish backdoor a danger star can encrypt the communications to the server controlled by the assaulter with the assistance of Blowfish cipher. And not only that even it likewise allows an enemy to provide a number of rootkits at unique times.

The Rootkits might end up being a severe risk, as in the contaminated system it helps a hazard actor to gain raised privileges; and due to the elevated privileges, the assaulter can likewise endanger the core operations of the OS..

The cybersecurity researchers of the Qihoo 360 NETLAB team have actually recently revealed a brand-new Linux backdoor, that has been dubbed as, “Facefish.”.

0x300– Report taken credential information.
0x301– Collect information of “uname” command.
0x302– Run reverse shell.
0x310– Execute any system command.
0x311– Send the result of bash execution.
0x312– Report host information.

Sample MD5.

Apart from all these things, in February 2021, an ELF sample file was found by the specialists and after analysis of that ELF sample file, the recent verdicts of NETLAB have been released.

38fb322cc6d09a6ab85784ede56bc5a7 sshins.
d6ece2d07aa6c0a9e752c65fbe4c4ac2 libs.so.


You can follow us on Linkedin, Twitter, Facebook for day-to-day Cybersecurity and hacking news updates.