Facefish Backdoor

Facefish Backdoor Description

A backdoor threat has been detected compromising vulnerable Linux systems. Named Facefish by the researchers at Qihoo 360 NETLAB, the threat is capable of collecting information including user login credentials and device information, as well as executing arbitrary commands received from its Command-and-Control (C2, C&C) server. Facefish consists of two different modules tasked with performing distinct threatening activities on the breached system - a dropper and a rootkit. 

Dropper Module Details

The dropper part of Facefish is responsible for determining the runtime environment on the infected device. Afterward, it will proceed to decrypt the configuration file carrying the address of the C2 server. The dropper is also responsible for configuring the Rootkit module. Finally, it will execute the rootkit by injecting it into the sshd (secure shell server) process. 

Powerful Rootkit

Rootkit threats, in general, are threatening incredibly and hard to deal with due to their specific characteristics. This malware burrows deep into the targeted device and places itself at the core of the device's operating system. This allows the malware threats to reach elevated privileges while becoming extremely elusive and hard to detect. The Facefish rootkit, in particular, works at the Ring 3 layer. It is loaded using the LD_PRELOAD technique. Once established, the threat can steal user credentials by exploiting ssh/sshd related functions. The rootkit also possesses certain backdoor capabilities. 

C2 Server Communication

Facefish employs a complex communication process when it comes to exchanging data with its Command-and-Control server. The threat exchanges public keys by using instructions that start with 0x2xx, while all C2 communication is being encrypted with the BlowFish cipher (hence the name of the malware). The threat actor can then send different commands to the malware according to their specific goals. FaceFish can be instructed to begin collecting data including stolen credentials, details of 'uname' command, and host information. In addition, the threat also recognizes commands for running a reverse shell, executing arbitrary system commands, and sending the results of bash execution. 

It should be noted that so far infosec researchers have not been able to pinpoint the exact vulnerability or exploit abused by the FaceFish hackers to breach the targeted Linux devices.