Cybersecurity researchers have shared a new backdoor program competent at stealing user login references, device information and doing arbitrary commands on Unix systems.
The malware dropper has been dubbed “Facefish” by simply Qihoo 360 NETLAB crew owing its capabilities to provide diverse rootkits at different times and the use of Blowfish cipher to encrypt marketing communications to the attacker-controlled server.
“Facefish consists of 2 parts, Dropper and Rootkit, and its major function is determined by the Rootkit module, which works on the Ring 3 layer and is charged using the LD_PRELOAD feature of stealing user login credentials by simply hooking ssh/sshd program associated functions, and it also supports several backdoor functions,” typically the researchers said.
The NETLAB research builds on a prior analysis published by Wacholder Networks on April dua puluh enam, which documented an attack company targeting Control Web -panel (CWP, formerly CentOS Net Panel) to inject the SSH implant with info exfiltration capabilities.
Facefish passes through a multi-stage infection procedure, which commences with a command word injection against CWP for you to retrieve a dropper (“sshins”) from a remote server, which in turn releases a rootkit that will ultimately takes charge associated with collecting and transmitting vulnerable information back to the storage space, in addition to awaiting further guidelines issued by the command-and-control (C2) server.
While the exact weakness exploited by the attacker intended for initial compromise remains uncertain, Juniper noted that CWP has been plagued by dozens associated with security issues, adding the “intentional encryption and obfuscation” of the source computer code has made it “difficult to see which versions of CWP are or remain liable to this attack.”
For it has the part, the dropper is sold with its own set of tasks, primary among being detecting typically the runtime environment, decrypting the configuration file to get C2 information, configuring the rootkit, and starting the rootkit by injecting it into your secure shell server procedure (sshd).
Rootkits are particularly risky as they allow attackers to achieve elevated privileges in the program, allowing them to interfere with core surgical procedures conducted by the underlying os. This ability of rootkits to camouflage into the material of the operating system gives opponents a high level of stealth in addition to evasion.
Facefish also utilizes a complex communication protocol in addition to encryption algorithm, using guidelines starting with 0x2XX to exchange community keys and BlowFish intended for encrypting communication data using the C2 storage space. Some of the C2 commands sent by the server are as follows –
- 0x300 – Report stolen credential information
- 0x301 – Collect details of “uname” command
- 0x302 – Run slow shell
- 0x310 – Execute almost any system command
- 0x311 – Give the result of bash execution
- 0x312 – Report host information
NETLAB’s conclusions come from an analysis of ELF sample file the idea detected in February 2021. Other indicators of endanger associated with the malware can be seen here.