FontOnLake Rootkit Malware Spotted to Target Linux Systems

A new strain of Linux malware has been discovered that allows thieves remote access and opens the door to additional attacks.

FontOnLake Rootkit Malware Spotted to Target Linux Systems
FontOnLake Rootkit Malware Spotted to Target Linux Systems | Image credits: MakeUseOf

As previously reported by security researchers, a new campaign is likely targeting businesses in Southeast Asia with previously unknown Linux malware that enables remote access for its operators, collects passwords, and acts like a proxy server, according to The Hacker News.

Slovakian antivirus firm ESET calls the malware family FontOnLake and says it contains powerful modules that are constantly updated with a wide range of capabilities, showing an active development phase. Samples posted to VirusTotal suggest the first incursions with this malware may have occurred around May of 2020. Malware with the codename HCRootkit is being tracked by both Avast and Lacework Labs.

FontOnLake's toolkit contains three components that are trojanized copies of real Linux utilities that are used to load user mode backdoors and kernel mode rootkits. All three components communicate with one another through virtual files. All of the functionality of the C++-based implants, including system monitors, concealed network command execution, and account credential exfiltration, are included.

Cybersecurity researcher Vladislav Hrčka at ESET said "The sneaky nature of FontOnLake's tools in combination with advanced design and low prevalence suggest that they are used in targeted attacks," [...] "To collect data or conduct other malicious activity, this malware family uses modified legitimate binaries that are adjusted to load further components. In fact, to conceal its existence, FontOnLake's presence is always accompanied by a rootkit. These binaries are commonly used on Linux systems and can additionally serve as a persistence mechanism."

FontOnLake malware is available in two variants

There are two variations of the backdoor, one of which can operate as a proxy, the other of which can edit files, and the third of which can execute Python scripts and shell commands in addition to adding features from the other two.

Both variants of the Linux rootkit, based on Suterusu open-source project, share capabilities such as masking processes, files, network connections, and themselves while also being able to perform file operations and extract and execute the user-mode backdoor, according to ESET.

No one knows exactly how the intruders got access at first, but a cybersecurity firm has discovered that they are using many command-and-and-control (C2) servers with various non-standard ports in order to avoid leaving any traces. The VirusTotal artifacts no longer show any C2 servers operating.