14 DAY TRIAL // Fysbis (or Linux.BackDoor.Fysbis) is a new malware family that targets Linux machines, on which it sets up a backdoor that allows the malware's author to spy on victims and carry out further attacks.
First signs of Fysbis appeared in November 2014, but only recently have security researchers from Palo Alto Network managed to understand how this threat works and who's behind it.
Based on a lengthy investigation, researchers speculate that this is not your run-of-the-mill malware that infects computers for the criminals' monetary gain (adware, banking operations, Bitcoin mining), but a much more sophisticated threat, which is only used in cyber-espionage campaigns.
Basically, if you're a regular Linux user who likes to play games on Steam, you're probably safe. On the other hand, if you're a government employee, if you manage highly sensitive Linux servers, data centers, or work in a big multi-national corporation, then you should expect at one point or another to discover Fysbis on your machines.
Fysbis was developed by a Russian cyber-espionage group
According to Palo Alto researchers, this malware family was developed by none other than the infamous APT 28 cyber-espionage group, also known under the names of Sofacy or Sednit.
We've reported on many of their attacks in the past, and this group that has Russian ties has lashed out against many governments, non-profits, and multi-nationals. A short list of its most high-profile targets includes NATO, the Electronic Frontier Foundation, the Dutch Air Safety Board, the Polish government, and many many banks and financial institutions.
Because many of the group's targets are also aligned with Kremlin's interests, and also because there are lots of Russian words in the source code of APT 28's hacking tools, many security researchers believe the organization may be linked to the Russian government, or at least cooperating with it.
Fysbis can work with or without root privileges
An interesting thing about Fysbis' make-up is the fact that the malware can work with or without root privileges. Once the malware arrives on the infected system, either by spear-phishing or by an attacker brute-forcing services with exposed ports, it will install itself using whatever user it can.
The malware comes in both 32- and 64-bit versions, and after the installation, it will first run a few tests and see what kind of capabilities its current user has, reporting the results to a C&C server.
Technically, Fysbis can open a remote shell on the infected machine, can run commands on the attacker's behalf, log keyboard input, and find, read, save, execute or delete files.
Fysbis has a very simple feature set but is very effective
As security analysts have observed, the malware is quite simple, yet it includes all the necessary functions to infiltrate systems and exfiltrate data.
A modular infrastructure also allows APT 28 to push other features to infected targets if they deem the machine deserves more probing around.
Because the malware works regardless of whether it has root privileges, can receive new modules, and has a small size, you can see why APT 28 values its versatility and chose to add it to its attack arsenal.
"Despite the lingering belief (and false sense of security) that Linux inherently yields higher degrees of protection from malicious actors, Linux malware and vulnerabilities do exist and are in use by advanced adversaries," Palo Alto researchers note. "Linux security in general is still a maturing area, especially in regards to malware."