Home » FontOnLake malware infects Linux systems via trojanized utilities

FontOnLake malware infects Linux systems via trojanized utilities

FontOnLake malware infects Linux systems via trojanized utilities

A newly discovered family of malware infects Linux systems hidden in legitimate binaries. Dubbed FontOnLake, the threat provides backdoor and rootkit components.

The malware has low prevalence in nature and benefits from an advanced design that allows it to maintain prolonged persistence on an infected system.

Hiding in legitimate utilities

FontOnLake has several modules that interact with each other and allow communication with malware operators, steal sensitive data and remain hidden on the system.

ESET researchers have found several malware samples uploaded to the VirusTotal scanning service throughout the past year, the first appearing in May 2020.

Marked with a stealthy and sophisticated design, FontOnLake is likely used in targeted attacks by operators cautious enough to use single Command and Control (C2) servers for “almost all samples” and various non-standard ports.

While ESET researchers have discovered that the FontOnLake distribution method is via a Trojan application, they are unsure how victims are lured to download the modified binaries.

Some of the Linux utilities that the threat actor modified to provide FontOnLake include:

  • cat – used to print the contents of a file
  • to kill – lists all running processes
  • sftp – secure FTP utility
  • sshd – the OpenSSH server process

“All Trojan horse files are standard Linux utilities and serve as a persistence method as they are usually executed at system startup”, Vladislav Hrčka, malware and reverse engineering analyst at ESET,

According to the researchers, the Trojan utilities were probably modified at the source code level, indicating that the threat actor compiled them and replaced the original.

In addition to transporting malware, the role of these modified binaries is to load additional payloads, collect information, or perform other malicious actions.

Researchers have discovered three custom backdoors written in C ++ associated with the FontOnLake family of malware, which allow operators to gain remote access to the infected system.

A function common to all three is to forward the collected sshd credentials and bash command history to the C2 server. They also use custom heartbeat commands to keep the connection to the monitoring server active.

Based on an open source rootkit

In a technical report released this week, ESET notes that the presence of FontOnLake on a compromised system is obscured by a rootkit component, which is also responsible for updates and delivery of fallback backdoors.

All sample rootkits that ESET found target kernel versions 2.6.32-696.el6.x86_64 and 3.10.0-229.el7.X86_64. Both versions discovered are based on an eight-year-old open source rootkit project called Suterusu and can hide processes, files, themselves, and network connections.

Communication between the Trojan horse applications and the rootkit is done via a virtual file that the latter creates. An operator can read or write data to this file and have it exported by the backdoor component.

Researchers believe the author of FontOnLake is “well versed in cybersecurity” and disabled the C2 servers used in samples found on VirusTotal once they learned of the download.

A whiff of FontOnLake

ESET says FontOnLake may be the same malware previously analyzed by researchers at Tencent Security Response Center, who associated it with an advanced persistent threat incident.

In a tweet at the end of August, cybersecurity firm Avast announced that it had found new Linux malware using Suterusu, which it named HCRootkit.

Their description is similar to ESET’s findings because HCRootkit is provided by a “coreutils binary with backdoor” which also removes a backdoor written in C ++.

“The main purpose of the rootkit component is to hide the payload from step 2 and make sure that the traffic from the CNC bypasses the firewall by installing a netfilter hook and redirecting the CNC packets to give the impression that the packets come from localhost “- Avast

Lacework Labs also released a review from HCRootkit, which shares details that appear to confirm the malware is the same as FontOnLake.

Leave A Reply

Please enter your comment!
Please enter your name here

Stay on Top - Get the daily news in your inbox

Trending this Week