A newly discovered family of malware infects Linux systems hidden in legitimate binaries. Dubbed FontOnLake, the threat provides backdoor and rootkit components.
The malware has low prevalence in nature and benefits from an advanced design that allows it to maintain prolonged persistence on an infected system.
Hiding in legitimate utilities
FontOnLake has several modules that interact with each other and allow communication with malware operators, steal sensitive data and remain hidden on the system.
ESET researchers have found several malware samples uploaded to the VirusTotal scanning service throughout the past year, the first appearing in May 2020.
Marked with a stealthy and sophisticated design, FontOnLake is likely used in targeted attacks by operators cautious enough to use single Command and Control (C2) servers for “almost all samples” and various non-standard ports.
While ESET researchers have discovered that the FontOnLake distribution method is via a Trojan application, they are unsure how victims are lured to download the modified binaries.
Some of the Linux utilities that the threat actor modified to provide FontOnLake include:
- cat – used to print the contents of a file
- to kill – lists all running processes
- sftp – secure FTP utility
- sshd – the OpenSSH server process
According to the researchers, the Trojan utilities were probably modified at the source code level, indicating that the threat actor compiled them and replaced the original.
In addition to transporting malware, the role of these modified binaries is to load additional payloads, collect information, or perform other malicious actions.
Researchers have discovered three custom backdoors written in C ++ associated with the FontOnLake family of malware, which allow operators to gain remote access to the infected system.
A function common to all three is to forward the collected sshd credentials and bash command history to the C2 server. They also use custom heartbeat commands to keep the connection to the monitoring server active.
Based on an open source rootkit
In a technical report released this week, ESET notes that the presence of FontOnLake on a compromised system is obscured by a rootkit component, which is also responsible for updates and delivery of fallback backdoors.
All sample rootkits that ESET found target kernel versions 2.6.32-696.el6.x86_64 and 3.10.0-229.el7.X86_64. Both versions discovered are based on an eight-year-old open source rootkit project called Suterusu and can hide processes, files, themselves, and network connections.
Communication between the Trojan horse applications and the rootkit is done via a virtual file that the latter creates. An operator can read or write data to this file and have it exported by the backdoor component.
Researchers believe the author of FontOnLake is “well versed in cybersecurity” and disabled the C2 servers used in samples found on VirusTotal once they learned of the download.
A whiff of FontOnLake
ESET says FontOnLake may be the same malware previously analyzed by researchers at Tencent Security Response Center, who associated it with an advanced persistent threat incident.
In a tweet at the end of August, cybersecurity firm Avast announced that it had found new Linux malware using Suterusu, which it named HCRootkit.
Their description is similar to ESET’s findings because HCRootkit is provided by a “coreutils binary with backdoor” which also removes a backdoor written in C ++.
Lacework Labs also released a review from HCRootkit, which shares details that appear to confirm the malware is the same as FontOnLake.
- New malware uses Windows for Linux subsystem for stealth attacks
- Azure users running Linux virtual machines should update their systems immediately
- Flubot Android malware now spreads via fake security updates
- Malware attacks Windows machines for the first time through the Windows Subsystem for Linux
- Hacker-made Linux Cobalt Strike beacon used in ongoing attacks