A new backdoor malware capable of stealing user login credentials has been discovered by cybersecurity researchers. Read on to know more…
Linux has evolved over time to become not only the backbone of the internet and the Android Operating System, but also everything that requires a minimal operating system for dedicated software. As a result, it is extremely desirable for threat actors to leave backdoors that allow them to re-enter systems. Facefish is one such backdoor that was just uncovered by the security researchers.
Technicalities
Facefish backdoor can be used to steal device information and login credentials, execute arbitrary commands, and bounce shell on affected Linux computers, according to the Qihoo 360 NETLAB team. The backdoor is designed to attack Linux x64 systems and is capable of installing numerous rootkits at once. Furthermore, it employs the Blowfish algorithm for C2 communications
CWP has numerous issues. Furthermore, the source code appears to be encrypted and obfuscated. This makes it challenging to determine which version is still vulnerable to the malware. There were 215,000 CWP installations that was accessible to the public last year. As a result, it’s possible that a large number of computers have been infected.
The researchers noted “Facefish consists of 2 parts, Dropper and Rootkit, and its main function is determined by the Rootkit module, which works at the Ring 3 layer and is loaded using the LD_PRELOAD feature to steal user login credentials by hooking ssh/sshd program related functions, and it also supports some backdoor functions,”
This isn’t the first time someone has looked at Facefish’s activities in depth. Juniper Networks previously detailed an attack chain that involved injecting SSH implants into Control Web Panel (CWP) to steal sensitive data from compromised systems.
Working Mechanism
Facefish infects computers in a multi-stage process that begins with a command injection against CWP to retrieve a dropper (“sshins”) from a remote server, which then releases a rootkit that collects and transmits sensitive data back to the server while also waiting for further instructions from the Command-and-Control (C2) server.
Some of the key functions of Facefish are Uploading device information, Stealing user credentials, Bounce Shell and Execute arbitrary commands.
Rootkits are especially harmful because they give attackers elevated privileges in the system, allowing them to meddle with core operations conducted by the underlying operating system. Rootkits’ ability to blend into the operating system’s fabric provides attackers with a high level of stealth and evasion features.
Past Attacks
Although this is one of the most recent threats to Linux OS, there have been others in previous years. Let’s have a look at them.
The Sysrv-hello cryptojacking botnet has been discovered actively scanning for vulnerable Windows and Linux enterprise enterprise servers in order to infect them with Monero malware. The Linux kernel has an information disclosure security flaw (CVE-2020-28588) that, if exploited, could allow hackers to leak information in the kernel stack.
A Brief Conclusion
According to the researchers, access to infected systems is likely to be rented or sold as part of a botnet. This is confirmed by the fact that, while Facefish collects detailed system information, it does not begin cryptomining or further propagation right away.