Researchers from security firm ESET have discovered a previously unknown malware family that utilises custom and well-designed modules, targeting operating systems running Linux.
Modules used by this malware family, which ESET dubbed FontOnLake, are constantly under development and provide remote access to the operators, collect credentials, and serve as a proxy server. The location of the C&C server and the countries from which the samples were uploaded to VirusTotal might indicate that its targets include Southeast Asia, the researchers said.
“The sneaky nature of FontOnLake’s tools in combination with advanced design and low prevalence suggest that they are used in targeted attacks,” explained Vladislav Hrčka, ESET Malware Researcher who analyzed this threat. To collect data or conduct other malicious activity, this malware family uses modified legitimate binaries that are adjusted to load further components.
In fact, to conceal its existence, FontOnLake’s presence is always accompanied by a rootkit. These binaries are commonly used on Linux systems and can additionally serve as a persistence mechanism.
ESET researchers believe that FontOnLake’s operators are overly cautious since almost all samples seen by ESET use different, unique C&C servers with varying non-standard ports. The authors use mostly C/C++ and various third-party libraries such as Boost, Poco and Protobuf.
The first known file of this malware family appeared on VirusTotal last May and other samples were uploaded throughout the year. None of the C&C servers used in samples uploaded to VirusTotal were active at the time of writing, indicating that they could have been disabled due to the upload.
Avast and Lacework Labs are tracking the same malware under the moniker HCRootkit, reported Hacker News.
ESET said it found two different versions of the Linux rootkit that’s based on an open-source project called Suterusu and share overlaps in functionality, including hiding processes, files, network connections, and itself, while also being able to carry out file operations, and extract and execute the user-mode backdoor.
It’s currently not known how the attackers gain initial access to the network, but the cybersecurity company noted that the threat actor behind the attacks is “overly cautious” to avoid leaving any tracks by relying on different, unique command-and-control (C2) servers with varying non-standard ports. All the C2 servers observed in the VirusTotal artifacts are no longer active.
“Their scale and advanced design suggest that the authors are well versed in cybersecurity and that these tools might be reused in future campaigns,” Hrčka said. “As most of the features are designed just to hide its presence, relay communication, and provide backdoor access, we believe that these tools are used mostly to maintain an infrastructure which serves some other, unknown, malicious purposes.”
Menu
