Facefish Backdoor Steals Login Credentials & Execute Arbitrary Commands on Linux Systems


The scientists at NETLAB describes that the infection chain of Facefish backdoor can be divided into 3 phases, and here they are:-.

The Facefish backdoor is composed of main 2 modules, and here they are discussed below:-.

Main functions of Facefish.

C2 commands.

The cybersecurity researchers of the Qihoo 360 NETLAB group have recently discovered a new Linux backdoor, that has actually been dubbed as, “Facefish.”.

In the 1st stage, through the implanted Dropper and vulnerability on the infected system, the Facefish spread its infection.
In the 2nd phase, the Dropper module of Facfish releases the Rootkit on the contaminated system.
The 3rd stage is the operational stage, and in this phase, the Rootkit module collects the delicate info from the infected system and waits on the command-and-control (C2) server instructions to carry out the execution process.

Upload gadget details.
Taking user qualifications.
Bounce Shell.
Execute arbitrary commands.

Here, the main objective or function of the Rootkit module is to acknowledge the primary objective or function of the Facefish backdoor. With the assistance of LD_PRELOAD include the Rootkit module gets load, and at the Ring 3 layer this module works.

The main functions of the Facefish backdoor are discussed below:-.

For the initial compromise, the certain vulnerability that is exploited by the aggressor still stays uncertain. The security experts describe that the dropper module of Facefish comes with a set of pre-built tasks like:-.

By abusing this brand-new Facefish backdoor a danger star can encrypt the communications to the server managed by the attacker with the help of Blowfish cipher. And not only that even it also enables an opponent to provide numerous rootkits at unique times.

Experts have claimed that this new backdoor has the ability to steal user device info, login credentials, and even it can also perform arbitrary commands on the infected Linux systems.

Detecting the runtime environment.
To get C2 details decrypting a configuration file.
Configuring the rootkit.
Starting the rootkit by injecting it into the “sshd.”.

The Rootkits might become a severe danger, as in the infected system it helps a danger star to get elevated privileges; and due to the elevated benefits, the assaulter can also threaten the core operations of the OS..

Contents of Facefish backdoor.

By exploiting the LD_PRELOAD feature the Rootkit module of Facefish hooks the ssh/sshd program-related functions to take the login credentials of the users on the impacted systems.

An earlier report of Juniper Networks discusses about an attack chain that injects the SSH implants on Control Web Panel (CWP, previously CentOS Web Panel) to exfiltrate necessary information from the affected systems.

0x300– Report taken credential info.
0x301– Collect information of “uname” command.
0x302– Run reverse shell.
0x310– Execute any system command.
0x311– Send the result of celebration execution.
0x312– Report host information.

Test MD5.

Apart from all these things, in February 2021, an ELF sample file was found by the professionals and after analysis of that ELF sample file, the current decisions of NETLAB have actually been released.

38fb322cc6d09a6ab85784ede56bc5a7 sshins.
d6ece2d07aa6c0a9e752c65fbe4c4ac2 libs.so.


You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.