Colin Mc Hugo

0 %
Colin Mc Hugo
Security Engineer Manager & CEO at Quantum Infinite Solutions Group Ltd.
  • Residence:
  • County:
  • Country:
Cyber Security Incident Response
Management & Architecture of Cyber Security Teams
Solutions & Coaching
  • Cyber Security Incident Response
  • Management & Architecture of Cyber Security Teams
  • Solutions
  • Training & Coaching

Researchers Warn of Facefish Backdoor Spreading Linux Rootkits

May 28, 2021
linux rootkit malware

Cybersecurity researchers have disclosed a brand new backdoor program able to stealing consumer login credentials, system data and executing arbitrary instructions on Linux methods.

The malware dropper has been dubbed “Facefish” by Qihoo 360 NETLAB workforce owing its capabilities to ship totally different rootkits at totally different instances and the usage of Blowfish cipher to encrypt communications to the attacker-controlled server.

“Facefish consists of two elements, Dropper and Rootkit, and its primary perform is decided by the Rootkit module, which works on the Ring 3 layer and is loaded utilizing the LD_PRELOAD function to steal consumer login credentials by hooking ssh/sshd program associated features, and it additionally helps some backdoor features,” the researchers said.

password auditor

The NETLAB analysis builds on a earlier evaluation published by Juniper Networks on April 26, which documented an assault chain focusing on Management Internet Panel (CWP, previously CentOS Internet Panel) to inject an SSH implant with knowledge exfiltration capabilities.

Facefish goes by way of a multi-stage an infection course of, which commences with a command injection in opposition to the CWP to retrieve a dropper (“sshins”) from a distant server, which then releases a rootkit that finally takes cost of accumulating and transmitting delicate data again to the server, along with awaiting additional directions issued by the command-and-control (C2) server.

linux rootkit malware

For its half, the dropper comes with its personal set of duties, chief amongst being detecting the runtime atmosphere, decrypting a configuration file to get C2 data, configuring the rootkit, and beginning the rootkit by injecting it into the safe shell server course of (sshd).

Rootkits are notably harmful as they permit attackers to realize elevated privileges within the system, permitting them to intervene with core operations carried out by the underlying working system. This capability of rootkits to camouflage into the material of the working system offers attackers a excessive stage of stealth and evasion.

Facefish additionally employs a fancy communication protocol and encryption algorithm, utilizing directions beginning with 0x2XX to alternate public keys and BlowFish for encrypting communication knowledge with the C2 server. A few of the C2 instructions despatched by the server are as follows –

  • 0x300 – Report stolen credential data
  • 0x301 – Acquire particulars of “uname” command
  • 0x302 – Run reverse shell
  • 0x310 – Execute any system command
  • 0x311 – Ship the results of bash execution
  • 0x312 – Report host data

NETLAB’s findings come from an evaluation of an ELF pattern file it detected in February 2021. Different indicators of compromise related to the malware may be accessed here.

Posted in SecurityTags:
Write a comment