Cybersecurity researchers are warning of a sophisticated malicious campaign targeting Linux servers with the goal of implanting a backdoor that spreads rootkits.
According to researchers at Juniper Threat Labs who first spotted the campaign, since at least February 2021 attackers have been searching the internet for vulnerable SWP installations in order to inject malicious code into Secure Shell (SSH) servers on Linux using an old vulnerability to get access to the CWP admin interface.
Control Web Panel (SWP), formerly CentOS Web Panel, is a free open source CentOS Linux control panel that offers easy management of multiple servers.
Dubbed Facefish by Qihoo 360 NETLAB team, who also analyzed this campaign, the backdoor is designed to collect device information, execute arbitrary commands, and steal SSH credentials from the infected host.
“Facefish consists of 2 parts, Dropper and Rootkit, and its main function is determined by the Rootkit module, which works at the Ring 3 layer and is loaded using the LD_PRELOAD feature to steal user login credentials by hooking ssh/sshd program related functions, and it also supports some backdoor functions. Facefish supports pretty flexible configuration, uses Diffie-Hellman exchange keys, Blowfish encrypted network communication, and targets Linux x64 systems,” the researcher wrote in a recent blog post.
The attack involves a multi-stage infection process, which starts with a command injection against CWP to retrieve a dropper ("sshins") from a remote server, which then releases a rootkit that collects information and sends it to an attacker-controlled server, and then awaits further instructions from its C&C server.
Neither Juniper nor Netlab shared a CVE identifier for the vulnerability exploited by the intruder for initial compromise.
“Because of the number of vulnerabilities in CWP, the intentional encryption and obfuscation of their source code ostensibly for security reasons, and CWP’s failure to respond to ZDI’s recent disclosures, it is difficult to ascertain which versions of CWP are or remain vulnerable to this attack,” Juniper explained.