Facefish Backdoor Steals Login Credentials & Execute Arbitrary Commands on Linux Systems


The primary functions of the Facefish backdoor are discussed below:-.

Upload gadget information.
Taking user qualifications.
Bounce Shell.
Carry out arbitrary commands.

In the 1st phase, through the implanted Dropper and vulnerability on the infected system, the Facefish spread its infection.
In the 2nd phase, the Dropper module of Facfish releases the Rootkit on the infected system.
The 3rd stage is the operational phase, and in this stage, the Rootkit module gathers the sensitive information from the contaminated system and waits for the command-and-control (C2) server instructions to carry out the execution process.

C2 commands.

An earlier report of Juniper Networks describes about an attack chain that injects the SSH implants on Control Web Panel (CWP, formerly CentOS Web Panel) to exfiltrate important data from the affected systems.

For the initial compromise, the guaranteed vulnerability that is made use of by the attacker still remains uncertain. However, the security experts describe that the dropper module of Facefish includes a set of pre-built tasks like:-.

Primary functions of Facefish.

The cybersecurity researchers of the Qihoo 360 NETLAB group have actually just recently discovered a new Linux backdoor, that has actually been dubbed as, “Facefish.”.

Discovering the runtime environment.
To get C2 information decrypting a configuration file.
Configuring the rootkit.
Beginning the rootkit by injecting it into the “sshd.”.

By exploiting the LD_PRELOAD feature the Rootkit module of Facefish hooks the ssh/sshd program-related functions to steal the login credentials of the users on the impacted systems.

Experts have actually claimed that this new backdoor has the ability to steal user device details, login qualifications, and even it can likewise carry out approximate commands on the contaminated Linux systems.

Contents of Facefish backdoor.

The Rootkits may become an extreme threat, as in the infected system it helps a threat star to get elevated opportunities; and due to the raised privileges, the attacker can likewise threaten the core operations of the OS..

The scientists at NETLAB discusses that the infection chain of Facefish backdoor can be divided into 3 phases, and here they are:-.

By abusing this new Facefish backdoor a hazard star can encrypt the interactions to the server managed by the aggressor with the assistance of Blowfish cipher. And not only that even it also allows an opponent to deliver several rootkits at unique times.

The Facefish backdoor is composed of main two modules, and here they are mentioned below:-.

Here, the main goal or function of the Rootkit module is to recognize the primary objective or function of the Facefish backdoor. With the assistance of LD_PRELOAD include the Rootkit module gets load, and at the Ring 3 layer this module works.

0x300– Report taken credential info.
0x301– Collect details of “uname” command.
0x302– Run reverse shell.
0x310– Execute any system command.
0x311– Send the result of celebration execution.
0x312– Report host information.

Test MD5.

Apart from all these things, in February 2021, an ELF sample file was discovered by the experts and after analysis of that ELF sample file, the current verdicts of NETLAB have been released.

38fb322cc6d09a6ab85784ede56bc5a7 sshins.
d6ece2d07aa6c0a9e752c65fbe4c4ac2 libs.so.


You can follow us on Linkedin, Twitter, Facebook for everyday Cybersecurity and hacking news updates.