Fysbis: The Linux Backdoor Used by Russian Hackers

[Batu69]

Malware linked to Russian cyber-espionage group APT 28

 Fysbis is a malware that opens backdoor on Linux systems

 

Fysbis (or Linux.BackDoor.Fysbis) is a new malware family that targets Linux machines, on which it sets up a backdoor that allows the malware's author to spy on victims and carry out further attacks.

First signs of Fysbis appeared in November 2014 but only recently have security researchers from Palo Alto Network managed to understand how this threat works and who's behind it.

Based on a lengthy investigation, researchers speculate that this is not your run-of-the-mill malware that infects computers for the criminals' monetary gain (adware, banking operations, Bitcoin mining), but a much more sophisticated threat, that's only used in cyber-espionage campaigns.

Basically if you're a regular Linux users that likes to play games on Steam you're probably safe. On the other hand, if you're a government employee, if you manage highly-sensitive Linux servers, data centers, or work in big multi-national corporations, then you should expect at one point or another to discover Fysbis on your machines.

Fysbis was developed by a Russian cyber-espionage group

According to Palo Alto researchers, this malware family was developed by none other than the infamous APT 28 cyber-espionage group, also known under the names of Sofacy or Sednit.

We've reported on many of their attacks in the past, and this group that has Russian ties has attacked many governments, non-profits, and multi-nationals. A short list of its most high-profile targets includes NATO, the Electronic Frontier Foundation, the Dutch Air Safety Board, the Polish government, and many many banks and financial institutions.

Because many of the group's targets are also aligned with Kremlin's interests, and also because there are lots of Russian words in the source code of APT 28's hacking tools, many security researchers believe the group may be linked to the Russian government, or at least cooperating with it.

Fysbis can work with or without root privileges

An interesting thing about Fysbis' make-up is the fact that the malware can work with or without root privileges. Once the malware arrives on the infected system, either by spear-phishing or by an attacker brute-forcing services with exposed ports, it will install itself using whatever user it can.

The malware comes in both 32 and 64-bit versions, and after the installation it will first run a few tests and see what kind of capabilities its current user has, reporting the results to a C&C server.

Technically, Fysbis can open a remote shell on the infected machine, can run commands on the attacker's behalf, log keyboard input, and find, read, save, execute or delete files.

Fysbis has a very simple feature set but is very effective

As security analysts have observed, the malware is quite simple, yet includes all the necessary functions to infiltrate systems and exfiltrate data.

A modular infrastructure also allows APT 28 to push other features to infected targets if they deem the machine deserves more probing around.

Because the malware works regardless it has root privileges, can receive new modules, and has a small size, you can see why APT 28 values its versatility and chose to add it to its attack arsenal.

"Despite the lingering belief (and false sense of security) that Linux inherently yields higher degrees of protection from malicious actors, Linux malware and vulnerabilities do exist and are in use by advanced adversaries," Palo Alto researchers note. "Linux security in general is still a maturing area, especially in regards to malware."

Article source