Cybersecurity researchers warn of a newly discovered malware targeting Linux systems

Cyber security researchers have discovered a new malware that is currently believed to target devices in Southeast Asia. The malware in question is one designed to target Linux systems to enable remote access, in addition to collecting credentials and to function as a proxy server.   

The malware family, referred to as FontOnLake by the cybersecurity firm ESET is characterised as having “well-designed modules” which are regularly being upgraded with new components, signalling a development phase of the malware. Samples taken and uploaded to VirusTotal indicated the possibility that system compromises as a result of this malware have occurred from as early as May 2020. 

The same malware remains under observation of Avast and Lacework Labs, where it is being tracked under the nickname HCRootkit.  

As described by Vladislav Hrčka, a researcher from ESET “the sneaky nature of FontOnLake’s tools in combination with advanced design and low prevalence suggest that they are used in targeted attacks”. Further explained, “to collect data or conduct other malicious activity, this malware family uses modifies legitimate binaries that are adjusted to load further components. In fact, to conceal its existence, FontOnLake’s presence is always accompanied by a rootkit. These binaries are commonly used on Linux systems and can additionally serve as a persistent mechanism.”  

The three components included in FontOnLake’s toolset encompasses trojanised versions of authentic Linux utilities used to load kernel-mode rootkits and user mode backdoors. These all communicate together using virtual files. The C++ implants are designed to monitor systems, execute commands covertly on networks and withdraw account credentials. 

The second modification of the backdoor enables it to be used as a proxy, as a means to manipulate files or to download files. A third variant, in addition to combining features from two other backdoors, is equipped to run Python scripts and shell commands.   

Further disclosed by ESET, determined from the open-source project Suterusu, two different variations of the Linux rootkit have been found, both which overlap in terms of functionality such as concealment of processes, files, network connections while the program runs files and extracts and executes the user mode backdoor.   

The method of which criminals use to gain initial access to the network is unknown. The cybersecurity firm however described the threat actor as “overly cautious”, utilising unique command-and-control (C2) servers with differing non-standard ports to remain hidden. Every active command-and-control servers regarded in VirusTotal are currently inactive. 

Further expressed by Hrčka, “their scale and advanced design suggest that the authors are well versed in cybersecurity and that these tools might be reused in future campaigns” and “as most of the features are designed just to hide its presence, relay communication, and provide backdoor access, we believe that these tools are mostly used to maintain infrastructure which serves some other, unknown, malicious purposes”.