Home Malware Researchers Warn of FontOnLake Rootkit Malware Targeting Linux Systems

Researchers Warn of FontOnLake Rootkit Malware Targeting Linux Systems


Linux malware

Cybersecurity researchers have detailed a new campaign that likely targets entities in Southeast Asia with a previously unrecognized Linux malware that’s engineered to enable remote access to its operators, in addition to amassing credentials and function as a proxy server.

The malware family, dubbed “FontOnLake” by Slovak cybersecurity firm ESET, is said to feature “well-designed modules” that are continuously being upgraded with new features, indicating an active development phase. Samples uploaded to VirusTotal point to the possibility that the very first intrusions utilizing this threat have been happening as early as May 2020.

Avast and Lacework Labs are tracking the same malware under the moniker HCRootkit.

Automatic GitHub Backups

“The sneaky nature of FontOnLake’s tools in combination with advanced design and low prevalence suggest that they are used in targeted attacks,” ESET researcher Vladislav Hrčka said. “To collect data or conduct other malicious activity, this malware family uses modified legitimate binaries that are adjusted to load further components. In fact, to conceal its existence, FontOnLake’s presence is always accompanied by a rootkit. These binaries are commonly used on Linux systems and can additionally serve as a persistence mechanism.”

FontOnLake’s toolset includes three components that consist of trojanized versions of legitimate Linux utilities that are used to load kernel-mode rootkits and user-mode backdoors, all of which communicate with one another using virtual files. The C++-based implants themselves are designed to monitor systems, secretly execute commands on networks, and exfiltrate account credentials.

Linux malware

A second permutation of the backdoor also comes with capabilities to act as a proxy, manipulate files, download arbitrary files, while a third variant, besides incorporating features from the other two backdoors, is equipped to execute Python scripts and shell commands.

ESET said it found two different versions of the Linux rootkit that’s based on an open-source project called Suterusu and share overlaps in functionality, including hiding processes, files, network connections, and itself, while also being able to carry out file operations, and extract and execute the user-mode backdoor.

Prevent Data Breaches

It’s currently not known how the attackers gain initial access to the network, but the cybersecurity company noted that the threat actor behind the attacks is “overly cautious” to avoid leaving any tracks by relying on different, unique command-and-control (C2) servers with varying non-standard ports. All the C2 servers observed in the VirusTotal artifacts are no longer active.

“Their scale and advanced design suggest that the authors are well versed in cybersecurity and that these tools might be reused in future campaigns,” Hrčka said. “As most of the features are designed just to hide its presence, relay communication, and provide backdoor access, we believe that these tools are used mostly to maintain an infrastructure which serves some other, unknown, malicious purposes.”





Source link

RELATED ARTICLES

‘Critical Severity’ Warning for Malware Embedded in Popular JavaScript Library

Security responders are scrambling this weekend to assess the damage from crypto-mining malware embedded in an npm package (JavaScript library) that counts close...

Popular NPM Package Hijacked to Publish Crypto-mining Malware

The U.S. Cybersecurity and Infrastructure Security Agency on Friday warned of crypto-mining malware embedded in "UAParser.js," a popular JavaScript NPM library with over...

Microsoft Introduces Security Program for Non-Profits

Tech giant Microsoft has rolled out new security offering to provide non-profit organizationss with additional security in the event of a nation-state attack. Microsoft...

Most Popular

‘Critical Severity’ Warning for Malware Embedded in Popular JavaScript Library

Security responders are scrambling this weekend to assess the damage from crypto-mining malware embedded in an npm package (JavaScript library) that counts close...

Popular NPM Package Hijacked to Publish Crypto-mining Malware

The U.S. Cybersecurity and Infrastructure Security Agency on Friday warned of crypto-mining malware embedded in "UAParser.js," a popular JavaScript NPM library with over...

Cisco Talos Intelligence Group – Comprehensive Threat Intelligence: Threat Roundup for October 15 to October 22

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Oct. 15 and Oct. 22. As with previous roundups, this post...

Recent Comments