Cybersecurity experts at Qihoo 360 NETLAB published details about a new backdoor, called Facefish, that threat actors can use to steal login credentials and execute arbitrary commands on Linux systems. Researchers based on their ability to distribute different ‘rootkits’ and use Blowfish encryption to encrypt communications with the C2.
Facefish consists of two parts, the ‘dropper’ and the ‘rootkit’. The latter works in user space (Ring 3), and is activated by preloading libraries (LD_PRELOAD). Once in operation, it monitors calls to functions of the ssh / sshd programs, capturing their credentials. For its part, the ‘dropper’ is in charge of decrypting the configuration and configuring the ‘rootkit’, storing it in the directory (/lib64/libs.so) and adjusting the file (/etc/ld.so.preload), which it will force its load every time any program is run.
Rootkits are especially dangerous as they allow attackers to gain elevated privileges by interfering with the operation of sensitive applications. Additionally, the ability to disguise themselves as part of the operating system provides them with a high degree of stealth and evasion.
The exact vulnerability exploited by the threat actors has yet to be determined, but experts noted that CWP has been affected by multiple flaws. Facefish specifically targets Linux x64 systems and can remove multiple rootkits at different times, it uses the Blowfish encryption algorithm for C2 communications.
The malware supports multiple functions, including:
▸Upload device information
▸Steal user credentials
▸Bounce Shell
▸Execute arbitrary commands
In addition, Facefish also employs a complex communication protocol and encryption algorithm, using instructions starting with 0x2XX to exchange public keys and BlowFish to encrypt communication data with the C2 server.
Some of the C2 commands sent by the server are as follows:
▸0x300 – Report stolen credential information
▸0x301 – Collect details of the “uname” command
▸0x302 – Run reverse shell
▸0x310 – Execute any system command
▸0x311 – Sends the result of the bash execution
▸0x312 – Host Information Report
Related reads:
Drovorub – A Malware based on Linux system
Discreet Linux – A distro for security against Trojans
