Facefish Backdoor Steals Login Credentials From Linux Systems

The cybersecurity researchers of the Qihoo 360 NETLAB workforce have just lately uncovered a brand new Linux backdoor, that has been dubbed as, “Facefish.” 

Specialists have claimed that this new backdoor has the power to steal consumer gadget info, login credentials, and even it will probably additionally execute arbitrary instructions on the contaminated Linux techniques.

By abusing this new Facefish backdoor a risk actor can encrypt the communications to the server managed by the attacker with the assistance of Blowfish cipher. And never solely that even it additionally permits an attacker to ship a number of rootkits at distinct occasions.

Contents of Facefish backdoor

The Facefish backdoor consists of main two modules, and right here they’re talked about under:-

Right here, the first objective or operate of the Rootkit module is to acknowledge the first objective or operate of the Facefish backdoor. With the assistance of LD_PRELOAD characteristic the Rootkit module will get load, and on the Ring 3 layer this module works.

By exploiting the LD_PRELOAD characteristic the Rootkit module of Facefish hooks the ssh/sshd program-related capabilities to steal the login credentials of the customers on the affected techniques.

Main capabilities of Facefish

The first capabilities of the Facefish backdoor are talked about under:-

  • Add gadget info
  • Stealing consumer credentials
  • Bounce Shell
  • Execute arbitrary instructions

An earlier report of Juniper Networks explains about an assault chain that injects the SSH implants on Management Net Panel (CWP, previously CentOS Net Panel) to exfiltrate important information from the affected techniques.

The researchers at NETLAB explains that the an infection chain of Facefish backdoor could be divided into 3 phases, and right here they’re:-

  • Within the 1st stage, by the implanted Dropper and vulnerability on the contaminated system, the Facefish unfold its an infection.
  • Within the 2nd stage, the Dropper module of Facfish releases the Rootkit on the contaminated system.
  • The third stage is the operational stage, and on this stage, the Rootkit module collects the delicate info from the contaminated system and waits for the command-and-control (C2) server directions to carry out the execution course of.

For the preliminary compromise, the particular vulnerability that’s exploited by the attacker nonetheless stays unclear. However, the safety analysts clarify that the dropper module of Facefish comes with a set of pre-built duties like:-

  • Detecting the runtime surroundings.
  • To get C2 info decrypting a configuration file.
  • Configuring the rootkit.
  • Beginning the rootkit by injecting it into the “sshd.”

Furthermore, the Rootkits could change into a extreme hazard, as within the contaminated system it helps a risk actor to realize elevated privileges; and because of the elevated privileges, the attacker may also endanger the core operations of the OS.  

C2 instructions

  • 0x300 – Report stolen credential info
  • 0x301 – Gather particulars of “uname” command
  • 0x302 – Run reverse shell
  • 0x310 – Execute any system command
  • 0x311 – Ship the results of bash execution
  • 0x312 – Report host info

Aside from all this stuff, in February 2021, an ELF pattern file was detected by the specialists and after evaluation of that ELF pattern file, the latest verdicts of NETLAB have been revealed.

Pattern MD5

38fb322cc6d09a6ab85784ede56bc5a7 sshins
d6ece2d07aa6c0a9e752c65fbe4c4ac2 libs.so


You may comply with us on LinkedinTwitterFacebook for every day Cybersecurity and hacking information updates.


Please enter your comment!
Please enter your name here