How Pawn Storm uses Fysbis as a Linux backdoor

The cyber-espionage group Pawn Storm has been using Fysbis malware as a backdoor that allows the group to infect Linux systems.

Pawn Storm, also known as APT28 and Sednit, is believed to have ties to the Russian government. The group has previously launched attacks against global financial institutions, Eastern European institutions, Dutch Air Safety Board, the Ukrainian government, politicians, journalists, and even a punk band.

Pawn Storm's use of Fysbis malware was noted by researchers last April. Trend Micro researchers detected a phishing campaign that attempted to install Fysbis onto the systems by sending targets emails with malicious links to webpages that appeared to be legitimate news websites. The new research by a team of researchers at Palo Alto Networks provides additional detail into how the Fysbis malware helps Pawn Storm coordinate its surveillance activities.

Intelligence analysts Bryan Lee and Rob Downs noted that the Fysbis malware can install itself onto a system with or without root privileges. “Overall, these binaries are assessed as low sophistication, but effective,” the researchers wrote in a Palo Alto Networks blog post. “Rather, these actors more often than not hold their advanced malware and zero day exploits in reserve and employ just enough resources to meet their goals.”

The analysts also warned of Pawn Storm use of the CVE-2016-0728 vulnerability, a bug that allows attackers to gain root access into Linux systems from a limited account.