Facefish Backdoor Steals Login Credentials & Execute Arbitrary Commands on Linux Systems


Here, the main objective or function of the Rootkit module is to acknowledge the primary goal or function of the Facefish backdoor. With the aid of LD_PRELOAD include the Rootkit module gets load, and at the Ring 3 layer this module works.

Upload gadget information.
Stealing user credentials.
Bounce Shell.
Carry out approximate commands.

Furthermore, the Rootkits may end up being an extreme risk, as in the contaminated system it assists a hazard actor to get elevated benefits; and due to the elevated advantages, the assailant can also threaten the core operations of the OS..

By making use of the LD_PRELOAD function the Rootkit module of Facefish hooks the ssh/sshd program-related functions to take the login qualifications of the users on the affected systems.

Discovering the runtime environment.
To get C2 details decrypting a configuration file.
Configuring the rootkit.
Starting the rootkit by injecting it into the “sshd.”.

Primary functions of Facefish.

The Facefish backdoor is composed of main 2 modules, and here they are mentioned listed below:-.

An earlier report of Juniper Networks discusses about an attack chain that injects the SSH implants on Control Web Panel (CWP, formerly CentOS Web Panel) to exfiltrate essential information from the impacted systems.

In the 1st phase, through the implanted Dropper and vulnerability on the infected system, the Facefish spread its infection.
In the 2nd phase, the Dropper module of Facfish releases the Rootkit on the infected system.
The 3rd phase is the operational stage, and in this stage, the Rootkit module gathers the sensitive info from the contaminated system and waits for the command-and-control (C2) server instructions to carry out the execution procedure.

By abusing this brand-new Facefish backdoor a danger actor can secure the interactions to the server controlled by the opponent with the help of Blowfish cipher. And not just that even it likewise enables an attacker to deliver several rootkits at distinct times.

Specialists have actually declared that this new backdoor has the capability to steal user gadget details, login qualifications, and even it can likewise carry out arbitrary commands on the infected Linux systems.

C2 commands.

For the preliminary compromise, the certain vulnerability that is exploited by the assaulter still remains uncertain. The security analysts describe that the dropper module of Facefish comes with a set of pre-built tasks like:-.

The primary functions of the Facefish backdoor are mentioned below:-.

The scientists at NETLAB describes that the infection chain of Facefish backdoor can be divided into 3 phases, and here they are:-.

The cybersecurity scientists of the Qihoo 360 NETLAB group have recently uncovered a new Linux backdoor, that has actually been called as, “Facefish.”.

Contents of Facefish backdoor.

0x300– Report taken credential information.
0x301– Collect details of “uname” command.
0x302– Run reverse shell.
0x310– Execute any system command.
0x311– Send the outcome of bash execution.
0x312– Report host information.

Apart from all these things, in February 2021, an ELF sample file was found by the specialists and after analysis of that ELF sample file, the recent decisions of NETLAB have actually been released.

Test MD5.

38fb322cc6d09a6ab85784ede56bc5a7 sshins.
d6ece2d07aa6c0a9e752c65fbe4c4ac2 libs.so.


You can follow us on Linkedin, Twitter, Facebook for everyday Cybersecurity and hacking news updates.