{"id":86,"date":"2018-01-13T16:45:28","date_gmt":"2018-01-13T16:45:28","guid":{"rendered":"http:\/\/malwrforensics.com\/en\/?p=86"},"modified":"2018-01-14T04:40:08","modified_gmt":"2018-01-14T04:40:08","slug":"fysbis-backdoor-analysis","status":"publish","type":"post","link":"https:\/\/malwrforensics.com\/en\/2018\/01\/13\/fysbis-backdoor-analysis\/","title":{"rendered":"Fysbis backdoor analysis"},"content":{"rendered":"

Reportedly<\/a>\u00a0the Fysbis backdoor has been used by the Sofacy(APT28) group in targetted attacks against defense organizations and East European governments. The malware has both 32 and 64-bit versions, but in this article we will show snippets from the latter one.<\/p>\n

As the program starts, it will check if it’s not already running and if not, it will install and start itself.<\/p>\n

\"\"<\/p>\n

To detect if it’s running it will first grep the process list:<\/p>\n

\"\"<\/p>\n

Next it will try to gain root privileges. If it succeeds, the drops itself in the \/bin folder with the name rsyncd, otherwise it will choose the\u00a0~\/.config\/dbus-notifier<\/b><\/tt>\u00a0with the name\u00a0dbus-inotifier<\/b>. The malware checks if it is set to start automatically at startup. It does that by searching the active process list for the systemd process. If this process is found, it will recursively search the\u00a0\"\/usr\/lib\/systemd\/\"<\/b><\/tt>\u00a0folder and check every file for the\u00a0\"\/bin\/rsyncd\"<\/b><\/tt>\u00a0string.<\/p>\n

\"\"<\/p>\n

f it doesn’t have root privileges, it checks the\u00a0~\/.config\/autostart\/<\/b><\/tt>\u00a0directory for the\u00a0dbus-inotifier<\/b><\/tt>\u00a0file.<\/p>\n

If the malware isn’t running and the program has root privileges it will try to create a service file and launch itself.<\/p>\n

\"\"<\/p>\n

To do that it will create the\u00a0rsyncd.service<\/b><\/tt>\u00a0unit configuration file in\u00a0\/usr\/lib\/systemd\/system\/<\/b><\/tt><\/p>\n

\"\"<\/p>\n

Afterwards it installs & launch the service by executing the following commands:<\/p>\n\n\n\n
ln -s '\/lib\/systemd\/system\/rsyncd.service' '\/etc\/systemd\/system\/multi-user.target.wants\/rsyncd.service'<\/b><\/tt><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

\"\"<\/p>\n

systemctl daemon-reload<\/b><\/tt>\u00a0to reload the service<\/p>\n

If the backdoor doesn’t have root privileges, it creates the\u00a0~\/.config\/autostart\/dbus-inotifier.desktop<\/b><\/tt>\u00a0file with the following contents:<\/p>\n

\"\"<\/p>\n

It creates the directory\u00a0\/usr\/lib\/cva-ssys<\/b><\/tt>\u00a0to store its files its files in it:<\/p>\n

\"\"<\/p>\n

In this folder it stores a sqlite3 database (named\u00a0My_BD<\/b><\/tt>) where it stores configuration data. The configuration is stored in a binary format in a table called\u00a0chnnl<\/b>:<\/p>\n

\"\"<\/p>\n

The table has the following format:<\/p>\n

\"\"<\/p>\n

The backdoor will contact the command and control server (azureon-line.com) to register the infection and wait for commands:<\/p>\n

\"\"<\/p>\n

The malware will send a request similar to the following:<\/p>\n

\"\"<\/p>\n

The backdoor allows for the following operations:<\/p>\n\n\n\n\n\n
control the main module that handles configuration data and plugins<\/td>\n<\/tr>\n
module that opens a remote shell and execute arbitrary commands<\/td>\n<\/tr>\n
module that interracts with the file system (example: exfiltrate data, set staging area, run additional malware, etc)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Commands supported by the shell module<\/b><\/p>\n

\"\"<\/p>\n

Commands supported by the filesystem module<\/b><\/p>\n

\"\"<\/p>\n

Here<\/a>\u00a0you can find a python tool to detect this backdoor:<\/p>\n

\"\"<\/p>\n

File information:<\/p>\n\n\n\n\n\n
SHA256<\/td>\n8bca0031f3b691421cb15f9c6e71ce193355d2d8cf2b190438b6962761d0c6bb<\/td>\n<\/tr>\n
SHA1<\/td>\n9444d2b29c6401bc7c2d14f071b11ec9014ae040<\/td>\n<\/tr>\n
MD5<\/td>\n364ff454dcf00420cff13a57bcb78467<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"

Reportedly\u00a0the Fysbis backdoor has been used by the Sofacy(APT28) group in targetted attacks against defense organizations and East European governments. The malware has both 32 and 64-bit versions, but in this article we will show snippets from the latter one. As the program starts, it will check if it’s not already running and if not, […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[22,21,11,18],"class_list":["post-86","post","type-post","status-publish","format-standard","hentry","category-security","tag-backdoor","tag-fysbis","tag-linux","tag-malware"],"blocksy_meta":{"styles_descriptor":{"styles":{"desktop":"","tablet":"","mobile":""},"google_fonts":[]}},"featured_image_urls_v2":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":""},"post_excerpt_stackable_v2":"

Reportedly\u00a0the Fysbis backdoor has been used by the Sofacy(APT28) group in targetted attacks against defense organizations and East European governments. The malware has both 32 and 64-bit versions, but in this article we will show snippets from the latter one. As the program starts, it will check if it’s not already running and if not, it will install and start itself. To detect if it’s running it will first grep the process list: Next it will try to gain root privileges. If it succeeds, the drops itself in the \/bin folder with the name rsyncd, otherwise it will choose the\u00a0~\/.config\/dbus-notifier\u00a0with…<\/p>\n","category_list_v2":"Security<\/a>","author_info_v2":{"name":"malwrforensics","url":"https:\/\/malwrforensics.com\/en\/author\/u_malwrforensics\/"},"comments_num_v2":"0 comments","_links":{"self":[{"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/posts\/86","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/comments?post=86"}],"version-history":[{"count":1,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/posts\/86\/revisions"}],"predecessor-version":[{"id":102,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/posts\/86\/revisions\/102"}],"wp:attachment":[{"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/media?parent=86"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/categories?post=86"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/tags?post=86"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}