Cybersecurity researchers have warned of FontOnLake Rootkit Malware targeting Linux systems, especially in Southeast Asia. The malware is engineered to enable remote access to its operators, gathering credentials, and function as a proxy server.
According to ESET, a cybersecurity firm, the FontOnLake malware features well-designed modules. These are continuously upgraded with new features indicating an active development phase. Samples uploaded to VirusTotal suggest the possibility that the very first intrusions utilizing this threat have been happening since May 2020.
According to ESET researcher Vladislav Hrčka, “The sneaky nature of FontOnLake’s tools in combination with advanced design and low prevalence suggest that they are used in targeted attacks. To collect data or conduct other malicious activity, this malware family uses modified legitimate binaries that are adjusted to load further components. In fact, to conceal its existence, FontOnLake’s presence is always accompanied by a rootkit. These binaries are commonly used on Linux systems and can additionally serve as a persistence mechanism.”
There are three components in FontOnLake’s toolset, which consist of trojanized versions of legitimate Linux utilities. These utilities can be used to load kernel-mode rootkits and user-mode backdoors and communicate with one another using virtual files. While the C++ based implants are devised to monitor systems, secretly execute commands on networks, and exfiltrate account credentials The other variations of the backdoor also come with capabilities to act as a proxy, manipulate files, download arbitrary files.
While the third variant inherits features from the other two backdoors and is also equipped to execute Python scripts and shell commands.
ESET found two different versions of the Linux rootkit based on an open-source project called Suterusu. They share overlaps in functionality, including hiding processes, files, network connections, and itself. They are also able to carry out file operations and extract and execute the user-mode backdoor.
It is still not clear how attackers gain initial access to the network. Though according to ESET the threat actor behind the attacks is “overly cautious” to avoid leaving any tracks by relying on different, unique command-and-control (C2) servers with varying non-standard ports. All the C2 servers observed in the VirusTotal artifacts are no longer active.
Hrčka said, “Their scale and advanced design suggest that the authors are well versed in cybersecurity and that these tools might be reused in future campaigns. As most of the features are designed just to hide its presence, relay communication, and provide backdoor access, we believe that these tools are used mostly to maintain an infrastructure which serves some other, unknown, malicious purposes.”
Netherlands Will Use Intelligence Or Military Services To Counter Cyber-Attacks
New U.S. Government Initiative Will Hold Contractors Accountable for Cybersecurity
Cybercriminals are Progressing faster than you with Kubernetes