Facefish Backdoor Steals Login Credentials & Execute Arbitrary Commands on Linux Systems


Here, the main objective or function of the Rootkit module is to acknowledge the main objective or function of the Facefish backdoor. With the help of LD_PRELOAD include the Rootkit module gets load, and at the Ring 3 layer this module works.

Specialists have actually declared that this new backdoor has the capability to take user gadget details, login credentials, and even it can also perform approximate commands on the infected Linux systems.

For the preliminary compromise, the certain vulnerability that is exploited by the enemy still stays uncertain. However, the security experts discuss that the dropper module of Facefish includes a set of pre-built jobs like:-.

The Rootkits might end up being a serious threat, as in the contaminated system it helps a hazard actor to acquire elevated opportunities; and due to the raised privileges, the enemy can also threaten the core operations of the OS..

The researchers at NETLAB describes that the infection chain of Facefish backdoor can be divided into 3 phases, and here they are:-.

The cybersecurity scientists of the Qihoo 360 NETLAB team have actually just recently revealed a new Linux backdoor, that has actually been dubbed as, “Facefish.”.

C2 commands.

Main functions of Facefish.

The Facefish backdoor is composed of primary two modules, and here they are discussed below:-.

An earlier report of Juniper Networks explains about an attack chain that injects the SSH implants on Control Web Panel (CWP, formerly CentOS Web Panel) to exfiltrate necessary information from the impacted systems.

Upload gadget information.
Taking user credentials.
Bounce Shell.
Execute approximate commands.

In the 1st phase, through the implanted Dropper and vulnerability on the infected system, the Facefish spread its infection.
In the 2nd phase, the Dropper module of Facfish releases the Rootkit on the contaminated system.
The 3rd phase is the operational stage, and in this stage, the Rootkit module collects the sensitive information from the infected system and waits for the command-and-control (C2) server instructions to perform the execution process.

Discovering the runtime environment.
To get C2 details decrypting a setup file.
Setting up the rootkit.
Beginning the rootkit by injecting it into the “sshd.”.

Contents of Facefish backdoor.

The main functions of the Facefish backdoor are mentioned listed below:-.

By exploiting the LD_PRELOAD function the Rootkit module of Facefish hooks the ssh/sshd program-related functions to take the login qualifications of the users on the affected systems.

By abusing this new Facefish backdoor a risk actor can encrypt the communications to the server managed by the enemy with the aid of Blowfish cipher. And not only that even it likewise permits an attacker to deliver several rootkits at distinct times.

0x300– Report stolen credential information.
0x301– Collect information of “uname” command.
0x302– Run reverse shell.
0x310– Execute any system command.
0x311– Send the outcome of celebration execution.
0x312– Report host information.

Apart from all these things, in February 2021, an ELF sample file was discovered by the experts and after analysis of that ELF sample file, the recent decisions of NETLAB have actually been published.

Test MD5.

38fb322cc6d09a6ab85784ede56bc5a7 sshins.
d6ece2d07aa6c0a9e752c65fbe4c4ac2 libs.so.


You can follow us on Linkedin, Twitter, Facebook for everyday Cybersecurity and hacking news updates.