Facefish Backdoor Steals Login Credentials & Execute Arbitrary Commands on Linux Systems


Identifying the runtime environment.
To get C2 info decrypting a setup file.
Setting up the rootkit.
Beginning the rootkit by injecting it into the “sshd.”.

The Rootkits may become a severe threat, as in the contaminated system it assists a risk star to gain elevated opportunities; and due to the raised opportunities, the enemy can likewise threaten the core operations of the OS..

The cybersecurity researchers of the Qihoo 360 NETLAB group have actually just recently revealed a brand-new Linux backdoor, that has been dubbed as, “Facefish.”.

Main functions of Facefish.

Upload gadget information.
Stealing user credentials.
Bounce Shell.
Carry out approximate commands.

C2 commands.

For the initial compromise, the guaranteed vulnerability that is exploited by the enemy still remains uncertain. But, the security analysts discuss that the dropper module of Facefish includes a set of pre-built jobs like:-.

The researchers at NETLAB describes that the infection chain of Facefish backdoor can be divided into 3 phases, and here they are:-.

Contents of Facefish backdoor.

Experts have declared that this new backdoor has the capability to take user gadget details, login qualifications, and even it can also execute approximate commands on the contaminated Linux systems.

By making use of the LD_PRELOAD function the Rootkit module of Facefish hooks the ssh/sshd program-related functions to take the login credentials of the users on the impacted systems.

The primary functions of the Facefish backdoor are pointed out listed below:-.

Here, the main goal or function of the Rootkit module is to recognize the primary goal or function of the Facefish backdoor. With the help of LD_PRELOAD include the Rootkit module gets load, and at the Ring 3 layer this module works.

In the 1st stage, through the implanted Dropper and vulnerability on the contaminated system, the Facefish spread its infection.
In the 2nd stage, the Dropper module of Facfish launches the Rootkit on the infected system.
The 3rd phase is the operational phase, and in this stage, the Rootkit module collects the sensitive information from the contaminated system and awaits the command-and-control (C2) server directions to perform the execution procedure.

By abusing this new Facefish backdoor a risk actor can encrypt the communications to the server controlled by the assailant with the help of Blowfish cipher. And not just that even it also enables an attacker to provide several rootkits at unique times.

The Facefish backdoor is composed of main two modules, and here they are pointed out listed below:-.

An earlier report of Juniper Networks describes about an attack chain that injects the SSH implants on Control Web Panel (CWP, formerly CentOS Web Panel) to exfiltrate important data from the impacted systems.

0x300– Report stolen credential info.
0x301– Collect details of “uname” command.
0x302– Run reverse shell.
0x310– Execute any system command.
0x311– Send the outcome of celebration execution.
0x312– Report host info.

Apart from all these things, in February 2021, an ELF sample file was spotted by the experts and after analysis of that ELF sample file, the recent verdicts of NETLAB have actually been published.

Test MD5.

38fb322cc6d09a6ab85784ede56bc5a7 sshins.
d6ece2d07aa6c0a9e752c65fbe4c4ac2 libs.so.


You can follow us on Linkedin, Twitter, Facebook for day-to-day Cybersecurity and hacking news updates.