Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

FontOnLake Linux Malware Used in Targeted Attacks

A previously unknown, modular malware family that targets Linux systems has been used in targeted attacks to collect credentials and gain access to victim systems, ESET reported on Thursday.

A previously unknown, modular malware family that targets Linux systems has been used in targeted attacks to collect credentials and gain access to victim systems, ESET reported on Thursday.

Dubbed FontOnLake, the malware family employs a rootkit to conceal its presence and uses different command and control servers for each sample, which shows how careful its operators are to maintain a low profile.

What’s more, the malware developers are constantly modifying the FontOnLake modules, and use three categories of components that have been designed to work together, namely trojanized applications, backdoors, and rootkits.

Evidence suggests that FontOnLake has been used in attacks aimed at organizations in Southeast Asia.

The first malware samples related to this family emerged last May. The malware was previously described by Avast and Lacework as the HCRootkit / Sutersu Linux rootkit, as well as by Tencent Security Response Center in a February report.

The various trojanized applications that ESET’s researchers have identified during their investigation are used to load custom backdoor or rootkit modules, but also to collect sensitive data when needed. Posing as standard Linux utilities, these files were also designed to achieve persistence on the compromised systems.

What the researchers haven’t figured out yet is the manner in which the trojanized applications are delivered to the victims.

ESET’s analysis of FontOnLake has revealed the use of three different backdoors, all written in C++, all using the same Asio library from Boost, and all capable of exfiltrating sshd credentials and bash command history.

Advertisement. Scroll to continue reading.

The simplest of the three was designed to launch and mediate access to a local SSH server, update itself, and transmit collected credentials. The malware appears to be under development.

Similarly, the second backdoor exfiltrates credentials, provides access to a customized sshd and serves as a proxy, but is also capable of file manipulation, updating itself, listing directories, and uploading and downloading files.

Capable of running in both client and server mode, the third backdoor accepts remote connections, serves as a proxy and can download and run Python scripts, in addition to exfiltrating credentials. It also mediates I/O of the scripts and commands, ESET explains.

The researchers discovered two rootkit versions used in these attacks, both based on the open-source project Suterusu, and both capable of hiding processes, files, network connections, and themselves, while also exposing collected credentials to the backdoor.

The first of the rootkits can monitor traffic for specially crafted ICMP packets and fetching and running binaries (backdoors), while the second one includes support for additional commands and features a different implementation of several capabilities.

Related: ESET Discovers UEFI Bootkit in Cyber Espionage Campaign

Related: Diplomatic Entities Targeted with New ‘Moriya’ Windows Rootkit

Related: New Chinese Threat Group ‘GhostEmperor’ Targets Governments, Telecom Firms

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.