Cybersecurity researchers have exposed a new backdoor program able to stealing user login experience, device information and performing arbitrary commands on Cpanel systems.
The malware dropper has been dubbed “Facefish” by way of Qihoo 360 NETLAB crew owing its capabilities to supply various rootkits at different times and the use of Blowfish cipher to encrypt marketing and sales communications to the attacker-controlled server.
“Facefish consists of 2 parts, Dropper and Rootkit, and its primary function is determined by the Rootkit module, which works in the Ring 3 layer and is charged using the LD_PRELOAD feature of stealing user login credentials by way of hooking ssh/sshd program similar functions, and it also supports several backdoor functions,” often the researchers said.
The NETLAB research builds on a earlier analysis published by Quackelbusch Networks on April twenty six, which documented an attack string targeting Control Web -panel (CWP, formerly CentOS Website Panel) to inject a SSH implant with information exfiltration capabilities.
Facefish passes through a multi-stage infection course of action, which commences with a control injection against CWP in order to retrieve a dropper (“sshins”) from a remote server, which in turn releases a rootkit which will ultimately takes charge involving collecting and transmitting very sensitive information back to the machine, in addition to awaiting further directions issued by the command-and-control (C2) server.
While the exact weeknesses exploited by the attacker intended for initial compromise remains not clear, Juniper noted that CWP has been plagued by dozens involving security issues, adding the “intentional encryption and obfuscation” of the source signal has made it “difficult to find out which versions of CWP are or remain prone to this attack.”
For their part, the dropper is sold with its own set of tasks, primary among being detecting often the runtime environment, decrypting the configuration file to get C2 information, configuring the rootkit, and starting the rootkit by injecting it in to the secure shell server course of action (sshd).
Rootkits are particularly risky as they allow attackers to get elevated privileges in the method, allowing them to interfere with core functions conducted by the underlying os. This ability of rootkits to camouflage into the material of the operating system gives opponents a high level of stealth in addition to evasion.
Facefish also implements a complex communication protocol in addition to encryption algorithm, using directions starting with 0x2XX to exchange community keys and BlowFish intended for encrypting communication data while using C2 machine. Some of the C2 commands sent by the server are as follows –
- 0x300 – Report stolen credential information
- 0x301 – Collect details of “uname” command
- 0x302 – Run opposite shell
- 0x310 – Execute virtually any system command
- 0x311 – Deliver the result of bash execution
- 0x312 – Report host information
NETLAB’s information come from an analysis associated with an ELF sample file the item detected in February 2021. Other indicators of endanger associated with the malware can be utilized here.