The cybersecurity researchers of the Qihoo 360 NETLAB team have recently uncovered a new Linux backdoor, that has been dubbed as, “Facefish.” 

Experts have claimed that this new backdoor has the ability to steal user device information, login credentials, and even it can also execute arbitrary commands on the infected Linux systems.

By abusing this new Facefish backdoor a threat actor can encrypt the communications to the server controlled by the attacker with the help of Blowfish cipher. And not only that even it also allows an attacker to deliver several rootkits at distinct times.

Contents of Facefish backdoor

The Facefish backdoor is composed of primary two modules, and here they are mentioned below:-

• Dropper
• Rootkit

Here, the primary goal or function of the Rootkit module is to recognize the primary goal or function of the Facefish backdoor. With the help of LD_PRELOAD feature the Rootkit module gets load, and at the Ring 3 layer this module works.

By exploiting the LD_PRELOAD feature the Rootkit module of Facefish hooks the ssh/sshd program-related functions to steal the login credentials of the users on the affected systems.

Primary functions of Facefish

The primary functions of the Facefish backdoor are mentioned below:-

• Upload device information
• Stealing user credentials
• Bounce Shell
• Execute arbitrary commands

An earlier report of Juniper Networks explains about an attack chain that injects the SSH implants on Control Web Panel (CWP, formerly CentOS Web Panel) to exfiltrate essential data from the affected systems.

The researchers at NETLAB explains that the infection chain of Facefish backdoor can be divided into 3 stages, and here they are:-

• In the 1st stage, through the implanted Dropper and vulnerability on the infected system, the Facefish spread its infection.
• In the 2nd stage, the Dropper module of Facfish releases the Rootkit on the infected system.
• The 3rd stage is the operational stage, and in this stage, the Rootkit module collects the sensitive information from the infected system and waits for the command-and-control (C2) server instructions to perform the execution process.

For the initial compromise, the definite vulnerability that is exploited by the attacker still remains unclear. But, the security analysts explain that the dropper module of Facefish comes with a set of pre-built tasks like:-

• Detecting the runtime environment.
• To get C2 information decrypting a configuration file.
• Configuring the rootkit.
• Starting the rootkit by injecting it into the “sshd.”

Moreover, the Rootkits may become a severe danger, as in the infected system it helps a threat actor to gain elevated privileges; and due to the elevated privileges, the attacker can also endanger the core operations of the OS.  

C2 commands

• 0x300 – Report stolen credential information
• 0x301 – Collect details of “uname” command
• 0x302 – Run reverse shell
• 0x310 – Execute any system command
• 0x311 – Send the result of bash execution
• 0x312 – Report host information

Apart from all these things, in February 2021, an ELF sample file was detected by the experts and after analysis of that ELF sample file, the recent verdicts of NETLAB have been published.

IOC

Sample MD5

38fb322cc6d09a6ab85784ede56bc5a7 sshins
d6ece2d07aa6c0a9e752c65fbe4c4ac2 libs.so

176.111.174.26:443