Remove FaceFish Backdoor

The Facefish Backdoor is a multi-purpose implant, which targets Linux systems exclusively. Its name is inspired by the fact that all communication between the implant and the control server is encrypted via the Blowfish cipher, therefore concealing the malicious activity. The threat gains persistence on infected machines and tries to fetch sensitive login credentials. In addition to this, it attempts to drop rootkits and other malware, as well as to execute remote commands.

Clearly, Facefish Backdoor's creators have put emphasis on ensuring persistence, and victims of this implant may have a hard time trying to eradicate the malicious app manually. The recommended course of action when dealing with advanced threats of this type is to use an up-to-date antivirus tool, which will eliminate all malicious files in one swift operation. By doing so, it will prevent any of Facefish Backdoor's components from persisting and taking over the system again.

Apart from dropping a rootkit, the functionality of the Facefish Backdoor is rather limited – it supports a small set of commands. However, if it manages to get escalated permissions on the infected host, it might steal enough data to provide the attacker with the ability to cause much more mayhem. Some of Facefish Backdoor's abilities are:

  • Automatically steal login credentials and transfer them to the server.
  • Use the 'uname' UNIX command to collect data.
  • Open a reverse shell.
  • Execute system commands and send the output to the attacker's server.

The infection vector being used to deliver the Facefish Backdoor is not yet clear. It is possible that the criminals might be relying on exploiting vulnerable software and services – Linux users should take the necessary measures to apply all updates and security patches, which could help prevent malicious attacks.

June 1, 2021

Leave a Reply