Fysbis: The Linux Backdoor Used by Russian Hackers

[Exterminator]

Content source

http://news.softpedia.com/news/fysbis-the-linux-backdoor-used-by-russian-hackers-500367.shtml

Fysbis (or Linux.BackDoor.Fysbis) is a new malware family that targets Linux machines, on which it sets up a backdoor that allows the malware's author to spy on victims and carry out further attacks.

First signs of Fysbis appeared in November 2014 but only recently have security researchers from Palo Alto Network managed to understand how this threat works and who's behind it.

Based on a lengthy investigation, researchers speculate that this is not your run-of-the-mill malware that infects computers for the criminals' monetary gain (adware, banking operations, Bitcoin mining), but a much more sophisticated threat, that's only used in cyber-espionage campaigns.

Basically if you're a regular Linux users that likes to play games on Steam you're probably safe. On the other hand, if you're a government employee, if you manage highly-sensitive Linux servers, data centers, or work in big multi-national corporations, then you should expect at one point or another to discover Fysbis on your machines.

Fysbis was developed by a Russian cyber-espionage group
According to Palo Alto researchers, this malware family was developed by none other than the infamous APT 28 cyber-espionage group, also known under the names of Sofacy or Sednit.

We've reported on many of their attacks in the past, and this group that has Russian ties has attacked many governments, non-profits, and multi-nationals. A short list of its most high-profile targets includes NATO, the Electronic Frontier Foundation, the Dutch Air Safety Board, the Polish government, and many many banks and financial institutions.

Because many of the group's targets are also aligned with Kremlin's interests, and also because there are lots of Russian words in the source code of APT 28's hacking tools, many security researchers believe the group may be linked to the Russian government, or at least cooperating with it.

Fysbis can work with or without root privileges
An interesting thing about Fysbis' make-up is the fact that the malware can work with or without root privileges. Once the malware arrives on the infected system, either by spear-phishing or by an attacker brute-forcing services with exposed ports, it will install itself using whatever user it can.

The malware comes in both 32 and 64-bit versions, and after the installation it will first run a few tests and see what kind of capabilities its current user has, reporting the results to a C&C server.

Technically, Fysbis can open a remote shell on the infected machine, can run commands on the attacker's behalf, log keyboard input, and find, read, save, execute or delete files.

Fysbis has a very simple feature set but is very effective
As security analysts have observed, the malware is quite simple, yet includes all the necessary functions to infiltrate systems and exfiltrate data.

A modular infrastructure also allows APT 28 to push other features to infected targets if they deem the machine deserves more probing around.

Because the malware works regardless it has root privileges, can receive new modules, and has a small size, you can see why APT 28 values its versatility and chose to add it to its attack arsenal.

"Despite the lingering belief (and false sense of security) that Linux inherently yields higher degrees of protection from malicious actors, Linux malware and vulnerabilities do exist and are in use by advanced adversaries," Palo Alto researchers note. "Linux security in general is still a maturing area, especially in regards to malware."

 

[Rishi]

This is one of those which defy the belief that Linux cannot be infected without root privileges being given in some form by the user.The fact that Linux only has about 48 or so known malwares,may lead to a sense of security but on the other hand makes you wonder how many are yet to be detected.The purpose of fysbis granted being government level espionage, can certainly open doors for other malicious authors(provided it is beneficial for them).

 

[LabZero]

Well, that GNU/Linux is not a 100% secure operating system is now a proven fact!

 

[jamescv7]

Few threats in the wild but deadlier than Windows considering of heavy future attacks + full proof concept of vulnerability.

 

[DaveM]

Linux hasn't been more secure for some time now. This isn't the first attack on Linux and really I believe it's just getting started. Couple these attacks with issues like this On WebKit Security Updates – Michael Catanzaro and anyone that thumbs their nose at those poor Windows fools are in for a nasty shock soon.