What is this Fysbis Malware?

Hi all,

The Sofacy group, aka APT28 and Sednit, is  cyber espionage group believed to have ties to Russia. They focus on targetting government, defense organizations and various Eastern European governments.

This group seems to use an abundance of tools and tactics. These include zero-day exploits targeting common applications such as Java or Microsoft Office, spear-phishing attacks, compromising legitimate websites to stage watering-hole attacks, and targeting over a variety of operating systems – Windows, OSX, Linux, even mobile iOS.

The Linux malware Fysbis is a preferred tool of Sofacy, and though it is not particularly sophisticated, Linux security in general is still a maturing area, especially in regards to malware. In short, it is entirely plausible that this tool has contributed to the success of associated attacks by this group.

Take a look at the malware

The blog post analyses the malware Fysbis: Sofacy’s Linux Backdoor : http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/

Fysbis is a modular Linux trojan / backdoor that implements plug-in and controller modules as distinct classes. For reference, some vendors categorize this malware under the Sednit attacker group naming designation. This malware includes both 32-bit and 64-bit versions ofExecutable and Linking Format (ELF) binaries. Additionally, Fysbis can install itself to a victim system with or without root privileges. This increases the options available to an adversary when it comes to selecting accounts for installation.


Source: Akati

Comments are closed.