Researchers Warn of Facefish Backdoor Spreading Linux Rootkits
Cybersecurity researchers have disclosed a new backdoor program capable of stealing user login credentials, device information and executing arbitrary commands on Linux systems.
The malware dropper has been dubbed “Facefish” by Qihoo 360 NETLAB team owing its capabilities to deliver different rootkits at different times and the use of Blowfish cipher to encrypt communications to the attacker-controlled server.
“Facefish consists of 2 parts, Dropper and Rootkit, and its main function is determined by the Rootkit module, which works at the Ring 3 layer and is loaded using the LD_PRELOAD feature to steal user login credentials by hooking ssh/sshd program related functions, and it also supports some backdoor functions,” the researchers said.
The NETLAB research builds on a previous analysis published by Juniper Networks on April 26, which documented an attack chain targeting Control Web Panel (CWP, formerly CentOS Web Panel) to inject an SSH implant with data exfiltration capabilities.
Facefish goes through a multi-stage infection process, which commences with a command injection against the CWP to retrieve a dropper (“sshins”) from a remote server, which then releases a rootkit that ultimately takes charge of collecting and transmitting sensitive information back to the server, in addition to awaiting further instructions issued by the command-and-control (C2) server.
For its part, the dropper comes with its own set of tasks, chief among being detecting the runtime environment, decrypting a configuration file to get C2 information, configuring the rootkit, and starting the rootkit by injecting it into the secure shell server process (sshd).
Rootkits are particularly dangerous as they allow attackers to gain elevated privileges in the system, allowing them to interfere with core operations conducted by the underlying operating system. This ability of rootkits to camouflage into the fabric of the operating system gives attackers a high level of stealth and evasion.
Facefish also employs a complex communication protocol and encryption algorithm, using instructions starting with 0x2XX to exchange public keys and BlowFish for encrypting communication data with the C2 server. Some of the C2 commands sent by the server are as follows –
- 0x300 – Report stolen credential information
- 0x301 – Collect details of “uname” command
- 0x302 – Run reverse shell
- 0x310 – Execute any system command
- 0x311 – Send the result of bash execution
- 0x312 – Report host information
NETLAB’s findings come from an analysis of an ELF sample file it detected in February 2021. Other indicators of compromise associated with the malware can be accessed here.