A previously unknown, modular malware family that targets Linux systems has been used in targeted attacks to collect credentials and gain access to victim systems, ESET reported on Thursday.
Dubbed FontOnLake, the malware family employs a rootkit to conceal its presence and uses different command and control servers for each sample, which shows how careful its operators are to maintain a low profile.
What’s more, the malware developers are constantly modifying the FontOnLake modules, and use three categories of components that have been designed to work together, namely trojanized applications, backdoors, and rootkits.
Evidence suggests that FontOnLake has been used in attacks aimed at organizations in Southeast Asia.
The first malware samples related to this family emerged last May. The malware was previously described by Avast and Lacework as the HCRootkit / Sutersu Linux rootkit, as well as by Tencent Security Response Center in a February report.
The various trojanized applications that ESET’s researchers have identified during their investigation are used to load custom backdoor or rootkit modules, but also to collect sensitive data when needed. Posing as standard Linux utilities, these files were also designed to achieve persistence on the compromised systems.
What the researchers haven’t figured out yet is the manner in which the trojanized applications are delivered to the victims.
ESET’s analysis of FontOnLake has revealed the use of three different backdoors, all written in C++, all using the same Asio library from Boost, and all capable of exfiltrating sshd credentials and bash command history.
The simplest of the three was designed to launch and mediate access to a local SSH server, update itself, and transmit collected credentials. The malware appears to be under development.
Similarly, the second backdoor exfiltrates credentials, provides access to a customized sshd and serves as a proxy, but is also capable of file manipulation, updating itself, listing directories, and uploading and downloading files.
Capable of running in both client and server mode, the third backdoor accepts remote connections, serves as a proxy and can download and run Python scripts, in addition to exfiltrating credentials. It also mediates I/O of the scripts and commands, ESET explains.
The researchers discovered two rootkit versions used in these attacks, both based on the open-source project Suterusu, and both capable of hiding processes, files, network connections, and themselves, while also exposing collected credentials to the backdoor.
The first of the rootkits can monitor traffic for specially crafted ICMP packets and fetching and running binaries (backdoors), while the second one includes support for additional commands and features a different implementation of several capabilities.