With time, Linux has not only become the backbone of the internet and the Android OS, but has also expanded into anything that needs a minimal operating system for dedicated software. Hence, it is highly desirable for threat actors to leave backdoors that would enable them to get back in systems. Recently, one such backdoor, named Facefish, has been discovered.

About Facefish

Facefish, analyzed recently by Qihoo 360 NETLAB team, can be used to steal device information and login credentials, execute arbitrary commands, and bounce shell on infected Linux systems. The backdoor specifically targets Linux x64 systems and is capable of dropping multiple rootkits at different times. It, furthermore, uses the Blowfish algorithm for C2 communications.

Not the first time

This is not the first detailed analysis of Facefish activities. An earlier report by Juniper Networks delineates an attack chain that injects SSH implants on Control Web Panel (CWP) to steal sensitive data from infected systems.
  • CWP has a myriad of flaws. Moreover, its source code is ostensibly encrypted and obfuscated. This makes it difficult to determine which version is still vulnerable to the malware.
  • Last year, there were 215,000 CWP installations that were accessible to the public. Thus, it is surmised that the number of compromised computers may be substantial.

Latest attacks on Linux

Although this is one of the latest threats to Linux operating systems, there have been more in recent times. Let’s glance through them.
  • The Sysrv-hello cryptojacking botnet was found actively scanning for vulnerable Windows and Linux enterprise servers to infect them with Monero.
  • An information disclosure bug (CVE-2020-28588) was spotted in the Linux kernel that, when abused, could enable attackers to expose information in the kernel stack.

The bottom line

Researchers suspect that access to compromised machines is likely to be rented or sold as part of a botnet. This is supported by the fact that while Facefish catalogs detailed system information, it does not immediately start cryptomining or propagating further.

Cyware Publisher