Linux Backdoor Called Fysbis Used by Russian Hackers

A new malware family known as Fysbis (or Linux.BackDoor.Fysbis) is aiming Linux machines by setting up a backdoor that allows the malware’s author to snoop on victims and perform further attacks.

Fybis showed its first signs in November 2014. However, the security researchers from Palo Alto Networks only recently have been able to understand who is behind the danger and how this threat works.

Researchers after carrying out a detailed inquiry guess that this is not your run-of-the-mill malware that affects computers for the criminals’ monetary gain (adware, Bitcoin mining, banking operations), but a much more sophisticated threat, that’s only used in cyber-espionage campaigns.

However, you are probably safe, if you are a regular Linux user that enjoys playing games on Steam. While on the other hand, if you work in big multi-national corporations or are a government employee and take care of the highly-sensitive Linux servers, data centers, then you should expect at one point or another to come across Fysbis on your machines.

According to Palo Alto researchers, this malware family was developed by none other than the infamous APT 28 cyber-espionage group, also known under the names of Sofacy or Sednit. This group is a fairly well known cyber espionage group believed to have ties to Russia. Their targets have spanned all across the world, with a focus on government, non-profits, defense organizations and various Eastern European governments. There have been numerous reports on their activities, to the extent that a Wikipedia entry has even been created for them.

Most high-profile targets of its short list includes NATO, the Dutch Air Safety Board, the Electronic Frontier Foundation, the Polish government, and many financial institutions and banks.

Many security researchers believe the group may be linked to the Russian government, or at least cooperating with it, as not only many of the group’s targets are associated with Kremlin’s interests, but also because there are several Russian words in the source code of APT 28’s hacking tools.

The fact that the malware can work with or without root privileges is one of the interesting things to note about Fysbis’ make-up. The malware will install itself using whatever user it can, once it comes on the infected system, either by attacker brute-forcing services with exposed ports or by spear-phishing.

Fysbis is a modular Linux trojan / backdoor that implements plug-in and controller modules as distinct classes. This malware includes both 32-bit and 64-bit versions of Executable and Linking Format (ELF) binaries. After the installation, it will performs a few tests to see what kind of capabilities its current user has, and reports the results to a C&C server.

Technically, Fysbis can open a remote shell on the infected machine, can run commands on the attacker’s behalf, find, read, save, execute or delete files, and log keyboard input.

While the malware is quite simple, it still has all the required functions to penetrate systems and exfiltrate data, the security analysts have observed.

If a modular infrastructure believes that the machine is worthy of more probing around, it also allows APT 28 to push other features to targets that are infected.

The malware can receive new modules, and has a small size, because it works irrespective of it having root privileges. One can see why APT 28 values its versatility and selected to add it to its attack resource.

“Despite the lingering belief (and false sense of security) that Linux inherently yields higher degrees of protection from malicious actors, Linux malware and vulnerabilities do exist and are in use by advanced adversaries,” Palo Alto researchers note. “Linux security in general is still a maturing area, especially in regards to malware.”