{
	"id": "299560fc-9706-49c3-a3ff-e2f2f9825711",
	"created_at": "2026-04-06T00:20:56.078836Z",
	"updated_at": "2026-04-10T03:37:50.01029Z",
	"deleted_at": null,
	"sha1_hash": "4c77d6dd3c01706ac8a47562fdc0fa4d170049cc",
	"title": "Linux.BackDoor.Fysbis.1 — Dr.Web Malware description library",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 71312,
	"plain_text": "Linux.BackDoor.Fysbis.1 — Dr.Web Malware description library\r\nPublished: 2015-05-12 · Archived: 2026-04-05 23:35:21 UTC\r\nA multicomponent Trojan presumably related to the Sednit hacker group. It uses a module structure where every\r\nmodule is implemented as a separate class. Modules can be of the following two types: plug-ins and controllers.\r\nThe researched sample contained two plug-ins: one designed to work with the file system and another one\r\nconsisting of a remote control shell and a network controller (executes POST and GET requests in a specified\r\nformat).\r\nDuring the installation, the Trojan attempts to gain root privileges. If it succeeds, the malware is installed in the\r\nfolder /bin/ with the name rsyncd and with the description “synchronize and backup service”. If it does not\r\nsucceed, Linux.BackDoor.Fysbis.1 is installed in ~/.config/dbus-notifier as an executable file with the name dbus-inotifier and with the description “system service d-bus notifier”.\r\nOnce it is launched, the Trojan verifies that its copy is not running and that the malware itself is not launched\r\nusing the command interpreter nash.\r\n1. Verifies that the “echo $0” command’s output is different from “nash”.\r\n2. Verifies that there is no process with the name “rsyncd” on the active process list (“dbus-inotifier” if the\r\nTrojan does not have root privileges).\r\nNext, the malware checks whether it is configured to start automatically at system startup.\r\n1. It searches the active process list for the systemd process. If this process is found, the Trojan recursively\r\ntraverses the “/usr/lib/systemd/” directory and checks every file for the “/bin/rsyncd” string. Otherwise, it\r\nruns a search for the “/bin/rsyncd” string within the files found in the /etc/ folder.\r\n2. Verifies that there is no “rsyncd” file in the “/bin/” folder.\r\nIf the Trojan does not have root privileges, it checks the “~/.config/autostart/” directory for the “dbus-inotifier”\r\nfile.\r\nIf Linux.BackDoor.Fysbis.1 is not installed, it registers itself in autorun using one of the following methods:\r\n1. Adds the “/bin/rsyncd \u0026 exit 0” string to the end of all “rc.local” files found in the /etc/ folder.\r\n2. Creates the service file /usr/lib/systemd/system/rsyncd.service\r\n[Unit]Description= synchronize and backup service.After=syslog.target\r\n[Service].ExecStart=/bin/rsyncd.OOMScoreAdjust=-500\r\n[Install].WantedBy=multi-user.target\r\nThen it installs the service by executing the following commands:\r\nhttps://vms.drweb.com/virus/?i=4276269\r\nPage 1 of 7\n\nln -s '/lib/systemd/system/rsyncd.service' '/etc/systemd/system/multi-user.target.wants\r\n/rsyncd.service'\r\nsystemctl daemon-reload\r\nThe running systemd process determines, which option will be used to register the Trojan in autorun. For example,\r\nif this process is active, the first option will be used. If it is not active, the second option is to be used.\r\nIf the Trojan does not have root privileges to enable its automatic launch, it creates the “~/.config/autostart/dbus-inotifier.desktop” file with the following contents:\r\n[Desktop Entry]\r\nType=Application\r\nExec=/home/user/.config/dbus-notifier/dbus-inotifier\r\nName[en_EN]=system service d-bus notifier\r\nName=system service d-bus notifier\r\nComment[en_EN]=\r\nComment=\r\n“/home/user/” stands here for the environment variable HOME.\r\nDuring the next step, the malware copies itself to the “/bin/rsyncd” folder (or to the “~/.config/dbus-notifier/dbus-inotifier” folder if the Trojan does not have root privileges) and launches the copy from this folder.\r\nThe address of the command and control server is stored in the Trojan’s body. All strings used by the Trojan are\r\nencrypted with the XOR algorithm. Depending on which task the string corresponds to, different keys are utilized.\r\nLinux.BackDoor.Fysbis.1 creates the directory “/usr/lib/cva-ssys” to store its files in it (“~/.local/cva-ssys”—if the\r\nTrojan does not have root privileges). When operating, the Trojan uses the SQLite3 database with the name\r\nMy_BD. The database is located in the “/usr/lib/cva-ssys/My_BD” folder (“~/.local/cva-ssys/My_BD”—if the\r\nTrojan does not have root privileges). The database contains the following two tables: Chnnl(id,binary) and\r\nprms(id,dword). The dwell time value with “id == 0x310031” for the standby mode is stored in the prms table.\r\nThe value stands for the interval, during which the Trojan does not receive a reply with the payload from the\r\ncommand and control server. The value with “id == 0x320032” stands for the dwell time value for active mode.\r\nThe Chnnl table contains configuration data of the backdoor. This data is encrypted with the RC4 algorithm.\r\nThe configuration data used by the backdoor has the following structure:\r\n#pragma pack(push, 1)\r\nstruct st_cncconfig\r\n{\r\n _WORD id;\r\n _BYTE byte2;\r\n _BYTE byte3;\r\n _QWORD pCnCBeg;\r\n _QWORD pCnCEnd;\r\nhttps://vms.drweb.com/virus/?i=4276269\r\nPage 2 of 7\n\n_QWORD pLastElement;\r\n};\r\n#pragma pack(pop)\r\nTo be able to enter the data into the database, Linux.BackDoor.Fysbis.1 converts the configuration data into the\r\nfollowing structure:\r\n#pragma pack(push, 1)\r\nstruct st_crypted_config_data\r\n{\r\n _WORD id;\r\n _BYTE byte2;\r\n _BYTE byte3;\r\n char* pCnC; //list of CnC addresses separated by '\u0026'\r\n};\r\n#pragma pack(pop)\r\nBefore the configuration data is encrypted with the RC4 algorithm, 11 signature bytes are added to the end of the\r\ndata (11 bytes are stored in the backdoor's body). Next, the buffer is encrypted using the RC4 algorithm with the\r\n50-byte key (also stored in the backdoor’s body). If there are keys for the string encryption with the XOR\r\nalgorithm, the configuration data will be also encrypted with the XOR algorithm.\r\nThen the buffer with the encrypted package is modified as follows:\r\n1. Two DWORD values are added to the beginning of the buffer.\r\n2. The first DWORD value is equal to zero.\r\n3. The second DWORD value is a hashtag and is calculated using the following function (MakeHash):\r\nunsigned __int16 CCryptor::ComputeHash(_BYTE *rc4_key, _DWORD rnd, _BYTE *crypted_data,\r\n _QWORD size)\r\n{\r\n _QWORD i;\r\n _WORD result;\r\n _BYTE CryptedByte;\r\n _BYTE j;\r\n i = 0LL;\r\n result = 0LL;\r\n while ( i \u003c size )\r\n {\r\n CryptedByte = crypted_data[i];\r\n j = 0;\r\n while ( 1 )\r\n {\r\n result = ((unsigned __int8)result ^ CryptedByte) \u0026 1 ? (rnd ^ (result \u003e\u003e 1)) :\r\n (result \u003e\u003e 1);\r\nhttps://vms.drweb.com/virus/?i=4276269\r\nPage 3 of 7\n\n++j;\r\n if ( j == 8 )\r\n break;\r\n CryptedByte \u003e\u003e= 1;\r\n }\r\n ++i;\r\n }\r\n return result;\r\n}\r\n \r\nunsigned __int32 CCryptor::MakeHash(struct st_cryptor *cryptor, _BYTE *crypted_data,\r\n __int64 size)\r\n{\r\n _DWORD rnd;\r\n rnd = GetRand(0, -1);\r\n return (unsigned __int16)(HIWORD(rnd) ^ rnd) ^ (CCryptor::ComputeHash\r\n(\u0026cryptor-\u003erc4_key-\u003ebuffer, (HIWORD(v4) ^ v4), crypted_data, size) \u003c\u003c 16);\r\n}\r\nThe process of the configuration data extraction proceeds opposite to the method described above. When the\r\nconfiguration data is extracted form the database, the backdoor verifies that the hash’s calculated value\r\ncorresponds to the one saved in the database. It also checks the accuracy of the 11-byte signature.\r\nThen the Trojan activates streams for every plug-in that waits for the package containing a command. It also\r\nactivates one stream to monitor database status, and another one to exchange data with the command and control\r\nserver.\r\nWhen the backdoor establishes a connection to the command and control server, it sets the request period time\r\nequal to the specified dwell time for the standby mode. Once the Trojan receives the payload, it changes the\r\nrequest period to the dwell time value for the active mode. If the dwell time value for the active mode has been\r\nset, but the package has not been received, the dwell time value is incremented by the dwell time value for the\r\nactive period. This action is repeated until the dwell time value is bigger or equal to the dwell time value for the\r\nstandby mode.\r\nThe Trojan sends the following GET request to the command and control server:\r\nazureon-****.com/watch/?from=W2KIa\u0026oe=YDxQ\u0026aq=KDRHmedegqk\u0026btnG=G\u0026utm=DQ\u0026ai=Y9DmdXRnRMCsX9Mm2KPXQOTAC\r\nazureon-****.com/search/?oe=BiQCNKF\u0026aq=wl\u0026oe=Zcl0al2GeHD\u0026from=rfkpqRi-\u0026ags=KZde\u0026text=x\r\n\u0026ags=AS79lq\u0026channel=YJa3f673\u0026aq=GyZCExee0D\u0026ai=CgX0bplH8YtBf2ZtNYNiCwngv\r\nThe from, oe, aq, btnG, utm parameters stand for random strings encoded with the BASE64 algorithm. The string\r\nlength is from 1 to 14 characters. From the list of available parameters, the Trojan randomly chooses the ones it\r\nwill use (from 2 to 11 parameters).\r\nhttps://vms.drweb.com/virus/?i=4276269\r\nPage 4 of 7\n\ntext=\r\nfrom=\r\nai=\r\nags=\r\noe=\r\naq=\r\nbtnG=\r\noprnd=\r\nai=\r\nutm=\r\nchannel=\r\nThe page address in the domain of the command and control server is chosen randomly from the list.\r\nwatch/?\r\nsearch/?\r\nfind/?\r\nresults/?\r\nopen/?\r\nsearch/?\r\nclose/?\r\nThe “ai” value stands for the payload title. This value is generated using the following method:\r\n1. The Trojan takes a random DWORD value and 7 bytes of the UID value for GET/POST requests stored in\r\nthe backdoor’s body. The UID value is followed by the DWORD value equal to -1 if the first DWORD\r\nvalue is zero. Otherwise, the second DWORD value is taken as the first value.\r\n2. 11 bytes of this buffer are encrypted with the XOR algorithm as follows:\r\ni = 0\r\nwhile ( 1 )\r\n{\r\n crypted_buffer = (_BYTE *)this_-\u003ecrypted_buffer;\r\n if ( i gt;= this-gt;crypted_buffer_size - 4 ) // this-gt;crypted_buffer_size == 15\r\n break;\r\n ++i;\r\n crypted_buffer[i + 4] ^= crypted_buffer[i \u0026 3];\r\n3. The generated buffer in encoded using the BASE64 alphabet, where the last two characters are replaced\r\nwith “-” and “_”.\r\n4. A string with the 5-character length and encoded with BASE64 is added to the beginning of the buffer\r\nencoded using the BASE64 algorithm.\r\nhttps://vms.drweb.com/virus/?i=4276269\r\nPage 5 of 7\n\nIn return, the server can send an encoded package or the “400” value. The Trojan checks whether the server's reply\r\nis positive by searching for the “OK” substring in it. Then the backdoor checks the reply’s size. If the size is 7\r\nbytes or more, the backdoor verifies that the command and control server sent an encoded package. To decode the\r\npackage, the BASE64 alphabet is used. The last two characters are replaced with “-” and “_”. If after the package\r\nhas been decoded its size is bigger than 3 bytes, the Trojan decrypts its first 11 bytes with XOR using the method\r\nsimilar to the one described above.\r\nThe first 4 bytes in the received package are ignored; the next 7 bytes are the key that will be used for the next\r\nPOST requests. The rest of the package is the payload.\r\nThe main module of the Trojan can execute the following commands:\r\nCommand Description\r\n0x1F Set the dwell time value for the standby mode\r\n0x29 Activate the controllers\r\n0x2A Set new configuration data and update the list of command and control servers\r\n0x32 Set the dwell time value for the active mode\r\n0x33 Set up the plug-in\r\n0x33 Save the dwell time values into the database\r\n0x34 Activate the plug-ins\r\n0x35 Add configuration data\r\n0x36 Delete the specified configuration data\r\nThe Remote Shell Module can execute the following commands:\r\nCommand Description\r\n0x66 Exit\r\n0x65 Open a remote Shell\r\n0x68 Verify that the Shell in running\r\n0x67 Execute a command\r\nThe module, which interacts with the file system, can execute the following commands:\r\ncmd Description\r\n0x65 Find the file(s)\r\nhttps://vms.drweb.com/virus/?i=4276269\r\nPage 6 of 7\n\n0x66 Read the file(s)\r\n0x67 Save the file\r\n0x68 Remove the file(s)\r\n0x69 Run the file(s)\r\nA report on the operations’ execution by this module is displayed as the HTML code. The string with this code is\r\ngenerated in the infected computer’s memory and is used without being saved into the file.\r\nThe module monitoring the database checks the connection to the command and control server every millisecond.\r\nIf the connection is established, checks the values in the prms table of the database. If these values are other than\r\nzero, the module sends them to the command and control server using the POST request.\r\nTo send the POST request, the Trojan uses a random DWORD value and 7 bytes of the key from the encrypted\r\npackage received in reply to the GET request. 11 bytes that the Trojan receives in the reply are encrypted with the\r\nXOR algorithm (similar to the one used to decrypt the reply to the GET request). Then the data is added to the\r\nencrypted 11 bytes of the key. The generated buffer is encoded using the BASE64 alphabet to be sent in the POST\r\nrequest. Next, to the beginning of the BASE64 string a random BASE64 string with the length of 5 characters is\r\nadded. The POST request’s title is generated similarly to the GET request’s title. The payload is generated using\r\nthe following method:\r\n1. Using zero correction, a random DWORD value is written.\r\n2. Then 11 bytes of the key for POST requests are written. The key is received as a reply to the GET request.\r\n3. Next, other data is added.\r\n4. The first 11 bytes of the received buffer are encrypted with the XOR algorithm.\r\n5. Once it is encrypted using the XOR algorithm, the buffer is encoded with BASE64. A random string with\r\nthe length of 5 characters is added to the beginning of the buffer.\r\nAfter the Trojan has sent 4 POST requests via this stream, it pauses for 1 second and then sends another POST\r\nrequest to the command and control server. This request contains the sqlite3 library’s functions, whose addresses\r\nwere successfully acquired (maximum 13).\r\nSource: https://vms.drweb.com/virus/?i=4276269\r\nhttps://vms.drweb.com/virus/?i=4276269\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://vms.drweb.com/virus/?i=4276269"
	],
	"report_names": [
		"?i=4276269"
	],
	"threat_actors": [
		{
			"id": "730dfa6e-572d-473c-9267-ea1597d1a42b",
			"created_at": "2023-01-06T13:46:38.389985Z",
			"updated_at": "2026-04-10T02:00:02.954105Z",
			"deleted_at": null,
			"main_name": "APT28",
			"aliases": [
				"Pawn Storm",
				"ATK5",
				"Fighting Ursa",
				"Blue Athena",
				"TA422",
				"T-APT-12",
				"APT-C-20",
				"UAC-0001",
				"IRON TWILIGHT",
				"SIG40",
				"UAC-0028",
				"Sofacy",
				"BlueDelta",
				"Fancy Bear",
				"GruesomeLarch",
				"Group 74",
				"ITG05",
				"FROZENLAKE",
				"Forest Blizzard",
				"FANCY BEAR",
				"Sednit",
				"SNAKEMACKEREL",
				"Tsar Team",
				"TG-4127",
				"STRONTIUM",
				"Grizzly Steppe",
				"G0007"
			],
			"source_name": "MISPGALAXY:APT28",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e3767160-695d-4360-8b2e-d5274db3f7cd",
			"created_at": "2022-10-25T16:47:55.914348Z",
			"updated_at": "2026-04-10T02:00:03.610018Z",
			"deleted_at": null,
			"main_name": "IRON TWILIGHT",
			"aliases": [
				"APT28 ",
				"ATK5 ",
				"Blue Athena ",
				"BlueDelta ",
				"FROZENLAKE ",
				"Fancy Bear ",
				"Fighting Ursa ",
				"Forest Blizzard ",
				"GRAPHITE ",
				"Group 74 ",
				"PawnStorm ",
				"STRONTIUM ",
				"Sednit ",
				"Snakemackerel ",
				"Sofacy ",
				"TA422 ",
				"TG-4127 ",
				"Tsar Team ",
				"UAC-0001 "
			],
			"source_name": "Secureworks:IRON TWILIGHT",
			"tools": [
				"Downdelph",
				"EVILTOSS",
				"SEDUPLOADER",
				"SHARPFRONT"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "ae320ed7-9a63-42ed-944b-44ada7313495",
			"created_at": "2022-10-25T15:50:23.671663Z",
			"updated_at": "2026-04-10T02:00:05.283292Z",
			"deleted_at": null,
			"main_name": "APT28",
			"aliases": [
				"APT28",
				"IRON TWILIGHT",
				"SNAKEMACKEREL",
				"Group 74",
				"Sednit",
				"Sofacy",
				"Pawn Storm",
				"Fancy Bear",
				"STRONTIUM",
				"Tsar Team",
				"Threat Group-4127",
				"TG-4127",
				"Forest Blizzard",
				"FROZENLAKE",
				"GruesomeLarch"
			],
			"source_name": "MITRE:APT28",
			"tools": [
				"Wevtutil",
				"certutil",
				"Forfiles",
				"DealersChoice",
				"Mimikatz",
				"ADVSTORESHELL",
				"Komplex",
				"HIDEDRV",
				"JHUHUGIT",
				"Koadic",
				"Winexe",
				"cipher.exe",
				"XTunnel",
				"Drovorub",
				"CORESHELL",
				"OLDBAIT",
				"Downdelph",
				"XAgentOSX",
				"USBStealer",
				"Zebrocy",
				"reGeorg",
				"Fysbis",
				"LoJax"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab",
			"created_at": "2022-10-25T16:07:24.212584Z",
			"updated_at": "2026-04-10T02:00:04.900038Z",
			"deleted_at": null,
			"main_name": "Sofacy",
			"aliases": [
				"APT 28",
				"ATK 5",
				"Blue Athena",
				"BlueDelta",
				"FROZENLAKE",
				"Fancy Bear",
				"Fighting Ursa",
				"Forest Blizzard",
				"G0007",
				"Grey-Cloud",
				"Grizzly Steppe",
				"Group 74",
				"GruesomeLarch",
				"ITG05",
				"Iron Twilight",
				"Operation DealersChoice",
				"Operation Dear Joohn",
				"Operation Komplex",
				"Operation Pawn Storm",
				"Operation RoundPress",
				"Operation Russian Doll",
				"Operation Steal-It",
				"Pawn Storm",
				"SIG40",
				"Sednit",
				"Snakemackerel",
				"Sofacy",
				"Strontium",
				"T-APT-12",
				"TA422",
				"TAG-0700",
				"TAG-110",
				"TG-4127",
				"Tsar Team",
				"UAC-0028",
				"UAC-0063"
			],
			"source_name": "ETDA:Sofacy",
			"tools": [
				"ADVSTORESHELL",
				"AZZY",
				"Backdoor.SofacyX",
				"CHERRYSPY",
				"CORESHELL",
				"Carberp",
				"Computrace",
				"DealersChoice",
				"Delphacy",
				"Downdelph",
				"Downrage",
				"Drovorub",
				"EVILTOSS",
				"Foozer",
				"GAMEFISH",
				"GooseEgg",
				"Graphite",
				"HATVIBE",
				"HIDEDRV",
				"Headlace",
				"Impacket",
				"JHUHUGIT",
				"JKEYSKW",
				"Koadic",
				"Komplex",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"LoJack",
				"LoJax",
				"MASEPIE",
				"Mimikatz",
				"NETUI",
				"Nimcy",
				"OCEANMAP",
				"OLDBAIT",
				"PocoDown",
				"PocoDownloader",
				"Popr-d30",
				"ProcDump",
				"PythocyDbg",
				"SMBExec",
				"SOURFACE",
				"SPLM",
				"STEELHOOK",
				"Sasfis",
				"Sedkit",
				"Sednit",
				"Sedreco",
				"Seduploader",
				"Shunnael",
				"SkinnyBoy",
				"Sofacy",
				"SofacyCarberp",
				"SpiderLabs Responder",
				"Trojan.Shunnael",
				"Trojan.Sofacy",
				"USB Stealer",
				"USBStealer",
				"VPNFilter",
				"Win32/USBStealer",
				"WinIDS",
				"Winexe",
				"X-Agent",
				"X-Tunnel",
				"XAPS",
				"XTunnel",
				"Xagent",
				"Zebrocy",
				"Zekapab",
				"carberplike",
				"certutil",
				"certutil.exe",
				"fysbis",
				"webhp"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434856,
	"ts_updated_at": 1775792270,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4c77d6dd3c01706ac8a47562fdc0fa4d170049cc.pdf",
		"text": "https://archive.orkl.eu/4c77d6dd3c01706ac8a47562fdc0fa4d170049cc.txt",
		"img": "https://archive.orkl.eu/4c77d6dd3c01706ac8a47562fdc0fa4d170049cc.jpg"
	}
}