Fysbis

Fysbis is a modular Linux trojan/backdoor malware identified in late 2014, designed to exploit and damage computer systems. It's associated with Sofacy, an advanced persistent threat group, and is capable of installing itself onto a victim's system with or without root privileges. This malicious software can infiltrate systems via suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, Fysbis can cause significant disruption, including stealing personal information or holding data for ransom. Throughout 2015, Fysbis evolved and was detected in different forms. Initially, in early 2015, a 32-bit version of the malware was found. Later in the year, a more sophisticated 64-bit version emerged. Both versions exhibited similar behaviors, suggesting consistent objectives and tactics from the Sofacy group. The malware's architecture includes plug-in and controller modules as distinct classes, allowing it to be highly adaptable and resilient. The analysis of Fysbis revealed its capabilities through various binary strings references. Some references indicated RemoteShell capability, hinting at the malware's potential to remotely control infected systems. Other strings pointed towards installation methods and platform targeting. Furthermore, Fysbis demonstrated a propensity for "leakage," where certain aspects of its operation were inadvertently exposed, providing valuable insight into its functionality and potential countermeasures.