Malware researchers at PaloAlto discovered the Fysbis Trojan, a simple and an effective Linux threat used by the Russian cyberspy group Pawn Storm.

Do you remember the Pawn Storm hacking crew? Security experts have identified this group of Russian hackers with several names, including APT28, Sofacy or Sednit, it has been active since at least 2007.

The name Pawn Storm is used by security experts to reference an active economic and political cyber-espionage operation targeting a wide range of entities, most of them belonging to the military, governments, and media industries.

Specific targets include:

• Military agencies, embassies, and defense contractors in the US and its allies
• Opposition politicians and dissidents of the Russian government
• International media
• The national security department of a US ally

The Pawn Storm ATP group is considered a high sophisticated threat that has the availability of zero-day exploits in its arsenal. The groups used several strains of malware for the different OS available on the market, including mobile spyware designed to infect Apple iOS devices. One of the principal tools used by the Russian hackers is a Windows backdoor called Sednit.

Now the group is back again targeting Linux systems with a Trojan dubbed Fysbis that is able to compromise targets without requiring highly privileged access. According to the malware researchers at PaloAlto networks, the Fysbis Trojan is a preferred malware used to infect Linux systems despite it isn’t a sophisticated threat.

“The Linux malware Fysbis is a preferred tool of Sofacy, and though it is not particularly sophisticated, Linux security in general is still a maturing area, especially in regards to malware. In short, it is entirely plausible that this tool has contributed to the success of associated attacks by this group. This blog post focuses specifically on this Linux tool preferred by Sofacy and describes considerations and implications when it comes to Linux malware.” the PaloAlto researchers said Friday in a blog post.

The Fysbis Thojan implements a modular structure, the core components are a set of plugins that could be loaded to add new functionalities to the agent.

“Fysbis is a modular Linux trojan / backdoor that implements plug-in and controller modules as distinct classes. For reference, some vendors categorize this malware under the Sednit attacker group naming designation. This malware includes both 32-bit and 64-bit versions of Executable and Linking Format (ELF) binaries. Additionally, Fysbis can install itself to a victim system with or without root privileges.” continues the analysis published by the PaloAlto Networks.As a

The Fysbis Trojan was designed to exfiltrate potentially sensitive documents and spy on the user’s Web browsing and other activities.

The experts at the PaloAlto Networks’s Unit 42 have observed that APT groups tend to reuse the history command and control infrastructure. The analysis of the Fysbis Trojan samples confirmed this behavior, however in the latest variants the threat actor used also previously unknown servers.

The choice to develop a Linux trojan doesn’t surprise the experts, the Linux OS is preferred platform within data centers, cloud infrastructure for businesses, and application servers. Linux is also the core of Android devices and many other embedded systems. There is also another aspect to consider, many business environments mainly use Windows systems, this means that they are more efficient in detecting Windows threats due to the adoption of specific defense solutions.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Pawn Storm, iPhone Fysbis trojan)