Facefish Backdoor Steals Login Credentials & Execute Arbitrary Commands on Linux Systems


Professionals have actually declared that this new backdoor has the ability to steal user device information, login credentials, and even it can also carry out approximate commands on the contaminated Linux systems.

Furthermore, the Rootkits might end up being a severe danger, as in the contaminated system it assists a danger actor to acquire raised benefits; and due to the raised opportunities, the opponent can likewise threaten the core operations of the OS..

The scientists at NETLAB explains that the infection chain of Facefish backdoor can be divided into 3 phases, and here they are:-.

Upload gadget info.
Stealing user credentials.
Bounce Shell.
Perform arbitrary commands.

C2 commands.

By abusing this brand-new Facefish backdoor a risk actor can encrypt the interactions to the server controlled by the enemy with the aid of Blowfish cipher. And not just that even it likewise allows an assailant to deliver numerous rootkits at unique times.

Spotting the runtime environment.
To get C2 details decrypting a setup file.
Configuring the rootkit.
Beginning the rootkit by injecting it into the “sshd.”.

For the preliminary compromise, the guaranteed vulnerability that is exploited by the enemy still stays unclear. The security experts describe that the dropper module of Facefish comes with a set of pre-built jobs like:-.

By exploiting the LD_PRELOAD function the Rootkit module of Facefish hooks the ssh/sshd program-related functions to steal the login credentials of the users on the impacted systems.

Here, the primary objective or function of the Rootkit module is to acknowledge the main goal or function of the Facefish backdoor. With the help of LD_PRELOAD include the Rootkit module gets load, and at the Ring 3 layer this module works.

In the 1st stage, through the implanted Dropper and vulnerability on the contaminated system, the Facefish spread its infection.
In the 2nd phase, the Dropper module of Facfish releases the Rootkit on the contaminated system.
The 3rd stage is the functional phase, and in this stage, the Rootkit module gathers the sensitive information from the contaminated system and waits on the command-and-control (C2) server directions to perform the execution process.

The cybersecurity researchers of the Qihoo 360 NETLAB group have actually just recently revealed a new Linux backdoor, that has actually been called as, “Facefish.”.

Primary functions of Facefish.

An earlier report of Juniper Networks explains about an attack chain that injects the SSH implants on Control Web Panel (CWP, previously CentOS Web Panel) to exfiltrate important data from the impacted systems.

The Facefish backdoor is made up of primary two modules, and here they are pointed out listed below:-.

Contents of Facefish backdoor.

The main functions of the Facefish backdoor are discussed below:-.

0x300– Report taken credential information.
0x301– Collect information of “uname” command.
0x302– Run reverse shell.
0x310– Execute any system command.
0x311– Send the outcome of bash execution.
0x312– Report host details.

Test MD5.

Apart from all these things, in February 2021, an ELF sample file was spotted by the professionals and after analysis of that ELF sample file, the recent verdicts of NETLAB have been released.

38fb322cc6d09a6ab85784ede56bc5a7 sshins.
d6ece2d07aa6c0a9e752c65fbe4c4ac2 libs.so.


You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.