Facefish is a Linux rootkit that targets Linux x64 systems to inject malicious code, hijack the server and install a backdoor that intercepts sensitive information and SSH credentials and keys. Unlike other SSH-targeting malware, the rootkit doesn’t immediately use the resources to mine cryptocurrency or to spread further to other targets and likely compromises targets for selling access in the future.
|Enterprise||VT0025||.001||Remote Service Session Hijacking: SSH Hijacking||
Facefish hijacks the active ssh session by injecting malicious code to the ssh/sshd process
|Enterprise||VT0017||.004||Unsecured Credentials: Private Keys||
Facefish intercepts the ssh process to steal private keys and credentials and sensitive information about the machine.
Created: 01 June 2021
Last Modified: 17 February 2022