Security News > 2021 > May > Researchers Warn of Facefish Backdoor Spreading Linux Rootkits
Cybersecurity researchers have disclosed a new backdoor program capable of stealing user login credentials, device information and executing arbitrary commands on Linux systems.
The malware dropper has been dubbed "Facefish" by Qihoo 360 NETLAB team owing its capabilities to deliver different rootkits at different times and the use of Blowfish cipher to encrypt communications to the attacker-controlled server.
"Facefish consists of 2 parts, Dropper and Rootkit, and its main function is determined by the Rootkit module, which works at the Ring 3 layer and is loaded using the LD PRELOAD feature to steal user login credentials by hooking ssh/sshd program related functions, and it also supports some backdoor functions," the researchers said.
Facefish goes through a multi-stage infection process, which commences with a command injection against CWP to retrieve a dropper from a remote server, which then releases a rootkit that ultimately takes charge of collecting and transmitting sensitive information back to the server, in addition to awaiting further instructions issued by the command-and-control server.
For its part, the dropper comes with its own set of tasks, chief among being detecting the runtime environment, decrypting a configuration file to get C2 information, configuring the rootkit, and starting the rootkit by injecting it into the secure shell server process.
Rootkits are particularly dangerous as they allow attackers to gain elevated privileges in the system, allowing them to interfere with core operations conducted by the underlying operating system.