Cybersecurity researchers have disclosed a new backdoor program able of thieving person login credentials, system details and executing arbitrary commands on Linux units.
The malware dropper has been dubbed “Facefish” by Qihoo 360 NETLAB group owing its capabilities to supply various rootkits at unique periods and the use of Blowfish cipher to encrypt communications to the attacker-managed server.
“Facefish is made up of 2 parts, Dropper and Rootkit, and its major purpose is decided by the Rootkit module, which is effective at the Ring 3 layer and is loaded working with the LD_PRELOAD aspect to steal person login qualifications by hooking ssh/sshd software related capabilities, and it also supports some backdoor functions,” the scientists said.
The NETLAB investigate builds on a earlier assessment published by Juniper Networks on April 26, which documented an attack chain focusing on Handle Website Panel (CWP, previously CentOS World-wide-web Panel) to inject an SSH implant with knowledge exfiltration abilities.
Facefish goes by means of a multi-stage an infection system, which commences with a command injection in opposition to the CWP to retrieve a dropper (“sshins”) from a remote server, which then releases a rootkit that in the long run takes charge of gathering and transmitting sensitive information and facts back to the server, in addition to awaiting even more instructions issued by the command-and-control (C2) server.
For its section, the dropper arrives with its own established of tasks, chief among being detecting the runtime setting, decrypting a configuration file to get C2 data, configuring the rootkit, and starting the rootkit by injecting it into the secure shell server procedure (sshd).
Rootkits are specially dangerous as they let attackers to gain elevated privileges in the technique, enabling them to interfere with main functions conducted by the fundamental functioning program. This skill of rootkits to camouflage into the cloth of the running program presents attackers a significant degree of stealth and evasion.
Facefish also employs a intricate interaction protocol and encryption algorithm, utilizing recommendations setting up with 0x2XX to exchange general public keys and BlowFish for encrypting conversation details with the C2 server. Some of the C2 instructions despatched by the server are as follows –
- 0x300 – Report stolen credential information
- 0x301 – Acquire facts of “uname” command
- 0x302 – Operate reverse shell
- 0x310 – Execute any process command
- 0x311 – Deliver the result of bash execution
- 0x312 – Report host info
NETLAB’s findings arrive from an analysis of an ELF sample file it detected in February 2021. Other indicators of compromise involved with the malware can be accessed below.