Home Malware FontOnLake Linux Malware Used in Targeted Attacks

FontOnLake Linux Malware Used in Targeted Attacks


A previously unknown, modular malware family that targets Linux systems has been used in targeted attacks to collect credentials and gain access to victim systems, ESET reported on Thursday.

Dubbed FontOnLake, the malware family employs a rootkit to conceal its presence and uses different command and control servers for each sample, which shows how careful its operators are to maintain a low profile.

What’s more, the malware developers are constantly modifying the FontOnLake modules, and use three categories of components that have been designed to work together, namely trojanized applications, backdoors, and rootkits.

Evidence suggests that FontOnLake has been used in attacks aimed at organizations in Southeast Asia.

The first malware samples related to this family emerged last May. The malware was previously described by Avast and Lacework as the HCRootkit / Sutersu Linux rootkit, as well as by Tencent Security Response Center in a February report.

The various trojanized applications that ESET’s researchers have identified during their investigation are used to load custom backdoor or rootkit modules, but also to collect sensitive data when needed. Posing as standard Linux utilities, these files were also designed to achieve persistence on the compromised systems.

What the researchers haven’t figured out yet is the manner in which the trojanized applications are delivered to the victims.

ESET’s analysis of FontOnLake has revealed the use of three different backdoors, all written in C++, all using the same Asio library from Boost, and all capable of exfiltrating sshd credentials and bash command history.

The simplest of the three was designed to launch and mediate access to a local SSH server, update itself, and transmit collected credentials. The malware appears to be under development.

Similarly, the second backdoor exfiltrates credentials, provides access to a customized sshd and serves as a proxy, but is also capable of file manipulation, updating itself, listing directories, and uploading and downloading files.

Capable of running in both client and server mode, the third backdoor accepts remote connections, serves as a proxy and can download and run Python scripts, in addition to exfiltrating credentials. It also mediates I/O of the scripts and commands, ESET explains.

The researchers discovered two rootkit versions used in these attacks, both based on the open-source project Suterusu, and both capable of hiding processes, files, network connections, and themselves, while also exposing collected credentials to the backdoor.

The first of the rootkits can monitor traffic for specially crafted ICMP packets and fetching and running binaries (backdoors), while the second one includes support for additional commands and features a different implementation of several capabilities.

Related: ESET Discovers UEFI Bootkit in Cyber Espionage Campaign

Related: Diplomatic Entities Targeted with New ‘Moriya’ Windows Rootkit

Related: New Chinese Threat Group ‘GhostEmperor’ Targets Governments, Telecom Firms

view counter

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:
Tags:



Source link

RELATED ARTICLES

‘Critical Severity’ Warning for Malware Embedded in Popular JavaScript Library

Security responders are scrambling this weekend to assess the damage from crypto-mining malware embedded in an npm package (JavaScript library) that counts close...

Popular NPM Package Hijacked to Publish Crypto-mining Malware

The U.S. Cybersecurity and Infrastructure Security Agency on Friday warned of crypto-mining malware embedded in "UAParser.js," a popular JavaScript NPM library with over...

Microsoft Introduces Security Program for Non-Profits

Tech giant Microsoft has rolled out new security offering to provide non-profit organizationss with additional security in the event of a nation-state attack. Microsoft...

Most Popular

‘Critical Severity’ Warning for Malware Embedded in Popular JavaScript Library

Security responders are scrambling this weekend to assess the damage from crypto-mining malware embedded in an npm package (JavaScript library) that counts close...

Popular NPM Package Hijacked to Publish Crypto-mining Malware

The U.S. Cybersecurity and Infrastructure Security Agency on Friday warned of crypto-mining malware embedded in "UAParser.js," a popular JavaScript NPM library with over...

Cisco Talos Intelligence Group – Comprehensive Threat Intelligence: Threat Roundup for October 15 to October 22

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Oct. 15 and Oct. 22. As with previous roundups, this post...

Recent Comments