Qihoo 360 NETLAB researchers described a new backdoor Facefish that can steal sensitive information from users and execute arbitrary commands on Linux systems.
Facefish owes its name to its capability to deliver different rootkits at different times and encrypting communications to the attacker-controlled server using Blowfish cipher. Facefish targets Linux x64 systems
Facefish is a distributed framework that consists of two components, the dropper, and the rootkit, and is used to steal user credentials and perform other related functions:
“Facefish consists of 2 parts, Dropper and Rootkit, and its main function is determined by the Rootkit module, which works at the Ring 3 layer and is loaded using the LD_PRELOAD feature to steal user login credentials by hooking ssh/sshd program related functions, and it also supports some backdoor functions,” the researchers said.
The new analysis by Qihoo 360 builds on the analysis published by Juniper Networks on April 26 that showed how an attacker could inject a malicious SSH implant into a vulnerable Control Web Panel (CWP) to expose sensitive information.
According to Juniper, Facefish relies on a multi-stage infection process that starts with a command injection against CWP, proceeds with a dropper (“sshins”), and then deploys a rootkit that takes care of gathering and exfiltrating sensitive information stored on the compromised server. After that, it awaits further instructions from the command-and-control (C2) server.
While the exact details of the attack are still unknown due to the “intentional encryption and obfuscation” of the CWP’s source code, Juniper noted that CWP’s codebase is riddled with serious flaws.
The dropper, in its turn, performs various tasks which include detecting the runtime environment, extracting C2 information, configuring and starting the rootkit, and others.
BlowFish cipher is used for encrypting the communication with the C2 server.
A rootkit can camouflage itself among legitimate processes of the operating system to remain undetected and allows an attacker to gain elevated privileges to interfere with the core operations of the operating system.
Facefish also uses a complex encryption algorithm and a communication protocol. Some of the C2 server’s commands are as follows:
0x300 – Report stolen credential information
0x301 – Collect details of “uname” command
0x302 – Run reverse shell
0x310 – Execute any system command
0x311 – Send the result of bash execution
0x312 – Report host information
NETLAB has analyzed an ELF sample file from February 2021 and presented its findings in a report this week. The report also provides indicators of compromise (IoCs) for the rootkit (libs.so).