Facefish Backdoor delivers rootkits to Linux x64 systems

Pierluigi Paganini May 30, 2021

Qihoo 360 NETLAB spotted a new backdoor dubbed Facefish that could allow attackers to take over Linux systems and steal sensitive data.

Cybersecurity experts from Qihoo 360 NETLAB published details about a new backdoor, dubbed Facefish, which can be used by threat actors to steal login credentials and executing arbitrary commands on Linux systems.

The malware was also analyzed by Juniper researchers who observed the use of an exploit against the Control Web Panel (CWP) server administration web application to inject code via LD_PRELOAD, and uses a custom, encrypted binary C2 to exfiltrate credentials and control the machines. 

At the time of this writing, the exact vulnerability exploited by the threat actors has yet to be determined, but experts pointed out that CWP has been affected by multiple flaws.

Facefish specifically targets Linux x64 systems and is able to drop multiple rootkits at different times, it uses Blowfish encryption algorithm for C2 communications.

“Facefish consists of 2 parts, Dropper and Rootkit, and its main function is determined by the Rootkit module, which works at the Ring3 layer and is loaded using the LD_PRELOAD feature to steal user login credentials by hooking ssh/sshd program related functions, and it also supports some backdoor functions.” reads the analysis published by Qihoo 360 NETLAB.

The malware supports multiple functions, including:

  • Upload device information
  • Stealing user credentials
  • Bounce Shell
  • Execute arbitrary commands

Facefish uses a multi-stage infection process, one injected the command via LD_PRELOAD, it retrieves a dropper (“sshins”) from a remote server, which then releases a rootkit that carries out the malicious actions and executes commands sent by the C2.

facefish malware

The Chinese cybersecurity firm published a detailed analysis of the rootkit (libs.so) and the C2 infrastructure.

The researchers analyzed the task performed by the malware, including information gathering about the runtime environment, decrypting a configuration file to get C2 information, configuring the rootkit, and launching the rootkit via sshd.

“Facefish steals the login credentials with the help of the function after Hook and reports it to C2.” continues the analysis.

Facefish implements employs a complex communication protocol and encryption algorithm, it uses instructions starting with 0x2XX to exchange public keys and BlowFish for encrypting communication data with the C2 server. Below some of the C2 functional instructions analyzed by the experts:

  • 0x300 – Report stolen credential information
  • 0x301 – Collect details of “uname” command
  • 0x302 – Run reverse shell
  • 0x310 – Execute any system command
  • 0x311 – Send the result of bash execution
  • 0x312 – Report host information

The report also includes indicators of compromise (IoCs) associated with the threat.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Facefish)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment