Researchers Warn of FontOnLake Rootkit Malware Focusing on Linux Methods

Cybersecurity researchers have detailed a brand new marketing campaign that probably targets entities in Southeast Asia with a beforehand unrecognized Linux malware that is engineered to allow distant entry to its operators, along with amassing credentials and performance as a proxy server.

The malware household, dubbed “FontOnLake” by Slovak cybersecurity agency ESET, is claimed to function “well-designed modules” which might be constantly being upgraded with new options, indicating an energetic growth section. Samples uploaded to VirusTotal level to the chance that the very first intrusions using this menace have been taking place as early as Might 2020.

Avast and Lacework Labs are monitoring the identical malware below the moniker HCRootkit.

Automatic GitHub Backups

“The sneaky nature of FontOnLake’s instruments together with superior design and low prevalence counsel that they’re utilized in focused assaults,” ESET researcher Vladislav Hrčka stated. “To gather knowledge or conduct different malicious exercise, this malware household makes use of modified respectable binaries which might be adjusted to load additional elements. In actual fact, to hide its existence, FontOnLake’s presence is all the time accompanied by a rootkit. These binaries are generally used on Linux techniques and may moreover function a persistence mechanism.”

FontOnLake’s toolset consists of three elements that encompass trojanized variations of respectable Linux utilities which might be used to load kernel-mode rootkits and user-mode backdoors, all of which talk with each other utilizing digital recordsdata. The C++-based implants themselves are designed to watch techniques, secretly execute instructions on networks, and exfiltrate account credentials.

Linux malware

A second permutation of the backdoor additionally comes with capabilities to behave as a proxy, manipulate recordsdata, obtain arbitrary recordsdata, whereas a 3rd variant, moreover incorporating options from the opposite two backdoors, is provided to execute Python scripts and shell instructions.

ESET stated it discovered two completely different variations of the Linux rootkit that is based mostly on an open-source undertaking referred to as Suterusu and share overlaps in performance, together with hiding processes, recordsdata, community connections, and itself, whereas additionally with the ability to perform file operations, and extract and execute the user-mode backdoor.

Enterprise Password Management

It is at the moment not identified how the attackers achieve preliminary entry to the community, however the cybersecurity firm famous that the menace actor behind the assaults is “overly cautious” to keep away from leaving any tracks by counting on completely different, distinctive command-and-control (C2) servers with various non-standard ports. All of the C2 servers noticed within the VirusTotal artifacts are not energetic.

“Their scale and superior design counsel that the authors are nicely versed in cybersecurity and that these instruments could be reused in future campaigns,” Hrčka stated. “As many of the options are designed simply to cover its presence, relay communication, and supply backdoor entry, we imagine that these instruments are used largely to take care of an infrastructure which serves another, unknown, malicious functions.”

Leave A Reply

Your email address will not be published.