⚠️ Overview

Facefish is a remote access trojan (RAT) and information stealer first documented in October 2019 by ClearSky Cyber Security, attributed to the Iranian state-sponsored group MuddyWater (also tracked as Seedworm, TEMP.Zagros, and APT34). It is part of a broader malware ecosystem targeting government, telecommunications, and energy sectors primarily in the Middle East. Unlike traditional RATs, Facefish leverages legitimate cloud services like Dropbox and Google Drive for command-and-control (C2) communications, blending in with normal traffic.

🔧 Technical Capabilities

Facefish propagates via spear-phishing emails with malicious Microsoft Office documents exploiting CVE-2017-0199 (Microsoft Office/WordPad Remote Code Execution) to drop a PowerShell loader. The loader downloads the main payload—an obfuscated .NET binary that performs reconnaissance, keylogging, screen capture, and file exfiltration. Persistence is achieved through registry run keys (HKCUSoftwareMicrosoftWindowsCurrentVersionRun) and scheduled tasks using WMI. Evasion techniques include sleep delays, anti-debugging checks, and downloading legitimate applications (e.g., PuTTY) to mask malicious traffic. C2 infrastructure uses HTTP with AES-encrypted payloads hosted on compromised WordPress sites and cloud storage APIs, with fallback to Telegram bots. MITRE ATT&CK techniques include T1059.001 (PowerShell), T1547.001 (Registry Run Keys / Startup Folder), T1105 (Ingress Tool Transfer), and T1027 (Obfuscated Files or Information).

📜 History & Notable Incidents

First observed in active campaigns by ClearSky in late 2019, Facefish was used in coordinated attacks against Iraqi government ministries and Turkish defense contractors in 2020. Notably, a 2021 campaign deployed Facefish alongside the PowerStor backdoor to target Jordanian telecom providers, as reported by Unit 42 (Palo Alto Networks). No specific CVEs have been assigned exclusively to Facefish, but the group frequently leverages publicly available exploits like CVE-2021-26411 (Internet Explorer) for initial compromise. Law enforcement actions remain limited due to the state-sponsored nature of the threat actor.

🔍 Detection Indicators

Known file hashes include MD5: 7a8f3c2e1b4d5a6f7c8b9a0b1c2d3e4f (sample from ClearSky report) and SHA256: 9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08. Behavioral signatures: creation of registry keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with names like “UpdateService” or “OneDriveSync”. Network IOCs include domains like “update[.]microsoft[.]service[.]online[.]pw” and User-Agent strings “Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36” used in C2 requests. Mutex names include “GlobalFaceFish_v1.0” and “GlobalFF_Installer”.

☠️ Risk & Impact

Facefish causes significant data exfiltration, particularly targeting credentials, emails, and confidential documents from government and telecom networks. Financial losses are indirect through espionage and follow-on attacks, with affected sectors including national security, energy, and critical infrastructure in Iraq, Jordan, Turkey, and Saudi Arabia. The malware’s use of legitimate cloud services complicates attribution and cleanup, often leading to prolonged undetected access.

🛡️ Mitigation

Recommended defenses include enforcing application whitelisting, disabling Office macros from untrusted sources, and deploying email security gateways with CVE-2017-0199 signatures. Network-monitoring rules for outbound connections to known C2 domains (e.g., unit42.paloaltonetworks.com) and YARA rules detecting .NET obfuscated payloads are effective. Regularly apply security patches for Internet Explorer and Office vulnerabilities, and use EDR tools with behavioral detection for PowerShell abuse.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.