Facefish

Facefish is a Linux rootkit that targets Linux x64 systems to inject malicious code, hijack the server and install a backdoor that intercepts sensitive information and SSH credentials and keys. Unlike other SSH-targeting malware, the rootkit doesn’t immediately use the resources to mine cryptocurrency or to spread further to other targets and likely compromises targets for selling access in the future.[1][2]

Techniques Used

Domain ID Name Use
Enterprise VT0025 .001 Remote Service Session Hijacking: SSH Hijacking

Facefish hijacks the active ssh session by injecting malicious code to the ssh/sshd process

Enterprise VT0017 .004 Unsecured Credentials: Private Keys

Facefish intercepts the ssh process to steal private keys and credentials and sensitive information about the machine.

References

Attachments

ID
VS0018
Type
MALWARE

Created: 01 June 2021

Last Modified: 22 June 2021