The Linux ecosystem is endangered by a new type of a backdoor with rootkit capabilities. The new malware is also capable of stealing information from the system, such as user credentials and device details, and executing arbitrary commands.
Facefish: New Linux Backdoor and Rootkit
The malware was discovered by Qihoo 360 NETLAB security researchers who named its dropper Facefish.
According to their report, Facefish contains two parts, Dropper and Rootkit. “Its main function is determined by the Rootkit module, which works at the Ring 3 layer and is loaded using the LD_PRELOAD feature to steal user login credentials by hooking ssh/sshd program related functions, and it also supports some backdoor functions. Therefore, Facefish can be characterized as a backdoor for Linux platform,” the report said.
What are Facefish’s main functionalities?
The backdoor can upload device information, steal user credentials, bounce Shell, and execute arbitrary commands.
How is Facefish propagating in the wild? The malware uses a specific vulnerability for its successful distribution, but it hasn’t been disclosed yet. It should be noted that NETLAB’s analysis has been based on an April’s report by Juniper Networks. The report revealed details about an attack chain targeting Control Web Panel (CWP) to inject an SSH implant with data exfiltration functionalities.
In terms of Facefish’s infection mechanisms, the malware goes through several stages initiated by a command injection against CWP to retrieve a dropper from a remote server. The next step is enabling the rootkit that collects and transmits sensitive information to the server, while waiting for further instructions by the command-and-control infrastructure.
The dropper
The dropper is equipped with its own tasks, including the capability to detect the runtime environment, decrypt configuration files to receive command-and-control information, configure the rootkit, and initiate it by injecting it into the sshd server process.
The rootkit
Rootkit components are alarmingly dangerous, as they can help attackers obtain elevated privileges and interfere with core system operations. Shortly said, rootkits such as Facefish can dig themselves deep into the OS, giving threat actors stealth and the ability to bypass detection mechanisms.
NETLAB researchers also note that Facefish specifically supports the FreeBSD operating system. Full technical disclosure of the Facefish backdoor and rootkit are available in the original analysis.
Other examples of rootkit-based attacks include the cryptojacking Nansh0u operation and the KORKERDS miner and rootkit.