Posted on May 29, 2021 at 4:57 PM
Cybersecurity researchers have revealed that a new Facebook backdoor with the capability of stealing user login credentials has been discovered.
According to the researchers, the backdoor also steals device information and executes arbitrary commands on Linux systems.
The Qihoo 360 NETLAB team dubbed the malware “Facefish” due to its ability to deliver different rootkits at different instances. It also uses the Blowfish cipher when encrypting communications to the control server of the threat actors.
The researchers also stated that Facefish has two different modules, which are Rookit and Dropper, with its core features determined by the Rootkit part.
It also steals user credentials by tapping the related functions of the ssh/sshd program, according to the researchers.
Facefish uses a sophisticated algorithm
The researchers have also noted that the Facefish malware makes use of a sophisticated encryption algorithm and communication protocol, which makes it even more difficult to detect. It exchanges information with the C2 server using an encryption system that is difficult to detect.
The researchers outlined some of the commands delivered to the malware from the control server, which includes 0x300 to report stolen credential information, 0x310 to execute any system command, and 0x300 to run reverse shell, among other commands.
NETLAB’s discovery is coming from an analysis of an ELF sample discovered in February this year.
Since February this year, the hacker has been scanning the internet and taking advantage of an exploit from an old bug to target CWP installations.
The main goal of the malware is to gather vital details and steal SSH credentials from the victimized host.
The NETLAB researchers worked on an initial analysis of the Juniper Network published on April 26. It took record of a chain of attack that targeted the CentOS Web (now called Control Web Panel). The malware has data-stealing capabilities which inject an SSH implant into the targeted device.
Facefish has also been upgraded to execute a multi-stage infection process, starting with a command injection against the Control Web Panel and retrieves the SSHINS dropper from the remote server.
Afterward, it delivers a toolkit that collects and transmits sensitive information to the control server. It also retrieves additional information from the control server to implement further on the targeted device.
Security Issues plaguing CWP
Although the particular vulnerability the attacker exploited is still not known, there have been several security issues plaguing CWP, according to Juniper.
The research team stated that the issue has become even complicated due to the difficulty of finding out which CWP is susceptible to attack. This, according to the researcher, is due to the problem of “intentional encryption and obfuscation.”
The dropper also executes its own mission, among which are to configure the rootkit, decrypt a configuration file to retrieve the information and detect the runtime environment. Another role it performs is to start the rootkit by planting it into the SSHD process.
Rootkits are quite dangerous because they give the treat actors certain access to the system, enabling them to have privileges to important operations carried out by the targeted operating system.
The ability of the rootkits to hide within the operating system’s fabric gives the threat actors a high level of evasion and threat.
Little activity despite months of attack
The attackers stated that the attack involves a scarce rootkit component that the threat actor used on the compromised Linux Servers to evade detection and maintain persistence.
However, the researchers said there has been little activity on the compromised servers, despite months of persistent attacks by the hackers.
And unlike several botnets in recent times, the attacker didn’t deploy any crypto-mining component. This prompted Juniper to believe that the Facefish threat actors could still be developing a botnet they want to rent or sell when it is ready.
Also, neither of the researchers (NETLAB and Juniper) had published a CVE identifier for the exploited vulnerability. It’s also not clear whether the vulnerability has a CVE.