FontOnLake: Beforehand unknown malware household focusing on Linux

FontOnLake: Previously unknown malware family targeting Linux

ESET researchers uncover a malware household with instruments that present indicators they’re utilized in focused assaults

ESET researchers have found a beforehand unknown malware household that makes use of customized and well-designed modules, focusing on programs working Linux. Modules utilized by this malware household, which we dubbed FontOnLake, are always beneath improvement and supply distant entry to the operators, accumulate credentials, and function a proxy server. On this blogpost, we summarize the findings revealed in full in our white paper.

To gather knowledge (as an illustration ssh credentials) or conduct different malicious exercise, this malware household makes use of modified legit binaries which might be adjusted to load additional parts. In reality, to hide its existence, FontOnLake’s presence is at all times accompanied by a rootkit. These binaries comparable to cat, kill or sshd are generally used on Linux programs and may moreover function a persistence mechanism.

The sneaky nature of FontOnLake’s instruments together with superior design and low prevalence counsel that they’re utilized in focused assaults.

The primary recognized file of this malware household appeared on VirusTotal final Might and different samples have been uploaded all year long. The situation of the C&C server and the nations from which the samples have been uploaded to VirusTotal would possibly point out that its targets embody Southeast Asia.

We imagine that FontOnLake’s operators are notably cautious since nearly all samples seen use distinctive C&C servers with various non-standard ports. The authors use principally C/C++ and numerous third-party libraries comparable to Increase, Poco, or Protobuf. Not one of the C&C servers utilized in samples uploaded to VirusTotal have been energetic on the time of writing – which signifies that they might have been disabled because of the add.

Recognized parts of FontOnLake

FontOnLake’s at the moment recognized parts might be divided into three following teams that work together with one another:

  • Trojanized purposes – modified legit binaries which might be adjusted to load additional parts, accumulate knowledge, or conduct different malicious actions.
  • Backdoors – consumer mode parts serving as the primary level of communication for its operators.
  • Rootkits – kernel mode parts that principally conceal and disguise their presence, help with updates, or present fallback backdoors.

Trojanized purposes

We found a number of trojanized purposes; they’re used principally to load customized backdoor or rootkit modules. Other than that, they will additionally accumulate delicate knowledge. Patches of the purposes are most probably utilized on the supply code stage, which signifies that the purposes will need to have been compiled and changed the unique ones.

All of the trojanized recordsdata are customary Linux utilities and every serves as a persistence methodology as a result of they’re generally executed on system start-up. The preliminary approach wherein these trojanized purposes get to their victims just isn’t recognized.

Communication of a trojanized utility with its rootkit runs by a digital file, which is created and managed by the rootkit. As illustrated in Determine 1, knowledge might be learn/written from/to the digital file and exported with its backdoor part upon the operator’s request.

Determine 1. Interplay of FontOnLake’s parts


The three completely different backdoors we found are written in C++ and all use, albeit in barely alternative ways, the identical Asio library from Increase for asynchronous community and low-level I/O. Poco, Protobuf, and options from STL comparable to good pointers are used as nicely. What’s uncommon for malware is the truth that these backdoors additionally function plenty of software program design patterns.

The performance that all of them have in widespread is that every exfiltrates collected credentials and its bash command historical past to its C&C.

Contemplating among the overlapping performance, most probably these completely different backdoors will not be used collectively on one compromised system.

All of the backdoors moreover use customized heartbeat instructions despatched and obtained periodically to maintain the connection alive.

The general performance of those backdoors consists of the next strategies:

  • Exfiltrating the collected knowledge
  • Making a bridge between a customized ssh server working regionally and its C&C
  • Manipulating recordsdata (as an illustration, add/obtain, create/delete, listing itemizing, modify attributes, and so forth)
  • Serving as a proxy
  • Executing arbitrary shell instructions and python scripts


We found two marginally completely different variations of the rootkit, used solely one by one, in every of the three backdoors. There are vital variations between these two rootkits; nevertheless, sure points of them overlap. Although the rootkit variations are primarily based on the suterusu open-source challenge, they comprise a number of of FontOnLake’s unique, customized strategies.

Mixed performance of the 2 variations of the rootkit we found embody:

  • Course of hiding
  • File hiding
  • Hiding itself
  • Hiding community connections
  • Exposing the collected credentials to its backdoor
  • Performing port forwarding
  • Magic packets reception (magic packets are specifically crafted packets that may instruct the rootkit to obtain and execute one other backdoor)

Following our discovery whereas finalizing our white paper on this matter, distributors comparable to Tencent Safety Response Middle, Avast and Lacework Labs revealed their analysis on what seems to be the identical malware.

All recognized parts of FontOnLake are detected by ESET merchandise as Linux/FontOnLake. Corporations or people who need to defend their Linux endpoints or servers from this menace ought to use a multilayered safety product and an up to date model of their Linux distribution; among the samples we’ve analyzed have been created particularly for CentOS and Debian.

Prior to now we described an operation that shared sure behavioral patterns with FontOnLake; nevertheless, its scale and influence have been a lot greater. We dubbed it Operation Windigo and you could find extra details about it in this white paper and this follow-up blogpost.

Further technical particulars on FontOnLake might be present in our complete white paper.



SHA-1 Description Detection identify
1F52DB8E3FC3040C017928F5FFD99D9FA4757BF8 Trojanized cat Linux/FontOnLake
771340752985DD8E84CF3843C9843EF7A76A39E7 Trojanized kill
27E868C0505144F0708170DF701D7C1AE8E1FAEA Trojanized sftp
45E94ABEDAD8C0044A43FF6D72A5C44C6ABD9378 Trojanized sshd
1829B0E34807765F2B254EA5514D7BB587AECA3F Customized sshd
8D6ACA824D1A717AE908669E356E2D4BB6F857B0 Customized sshd
38B09D690FAFE81E964CBD45EC7CF20DCB296B4D Backdoor 1 variant 1
56556A53741111C04853A5E84744807EEADFF63A Backdoor 1 variant 2
FE26CB98AA1416A8B1F6CED4AC1B5400517257B2 Backdoor 1 variant 3
D4E0E38EC69CBB71475D8A22EDB428C3E955A5EA Backdoor 1 variant 4
204046B3279B487863738DDB17CBB6718AF2A83A Backdoor 2 variant 1
9C803D1E39F335F213F367A84D3DF6150E5FE172 Backdoor 2 variant 2
BFCC4E6628B63C92BC46219937EA7582EA6FBB41 Backdoor 2 variant 3
515CFB5CB760D3A1DA31E9F906EA7F84F17C5136 Backdoor 3 variant 4
A9ED0837E3AF698906B229CA28B988010BCD5DC1 Backdoor 3 variant 5
56CB85675FE7A7896F0AA5365FF391AC376D9953 Rootkit 1 model 1
72C9C5CE50A38D0A2B9CEF6ADEAB1008BFF12496 Rootkit 1 model 2
B439A503D68AD7164E0F32B03243A593312040F8 Rootkit 1 model 3
E7BF0A35C2CD79A658615E312D35BBCFF9782672 Rootkit 1 model 4
56580E7BA6BF26D878C538985A6DC62CA094CD04 Rootkit 1version 5
49D4E5FCD3A3018A88F329AE47EF4C87C6A2D27A Rootkit 1 model 5
74D44C2949DA7D5164ADEC78801733680DA8C110 Rootkit 2 model 1
74D755E8566340A752B1DB603EF468253ADAB6BD Rootkit 2 model 2
E20F87497023E3454B5B1A22FE6C5A5501EAE2CB Rootkit 2 model 3


From samples:


From internet-wide scan:



/and many others/sysconfig/modules/ati_remote3.modules

Digital filenames


MITRE ATT&CK strategies

This desk was constructed utilizing model 9 of the ATT&CK framework.

Tactic ID Title Description
Preliminary Entry T1078 Legitimate Accounts FontOnLake can accumulate not less than ssh credentials.
Execution T1059.004 Command and Scripting Interpreter: Unix Shell FontOnLake permits execution of Unix Shell instructions.
T1059.006 Command and Scripting Interpreter: Python FontOnLake permits execution of arbitrary Python scripts.
T1106 Native API FontOnLake makes use of fork() to create extra processes comparable to sshd.
T1204 Person Execution FontOnLake trojanizes customary instruments comparable to cat to execute itself.
Persistence T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions One in all FontOnLake’s rootkits might be executed with a start-up script.
T1037 Boot or Logon Initialization Scripts FontOnLake creates a system start-up script ati_remote3.modules.
T1554 Compromise Consumer Software program Binary FontOnLake modifies a number of customary binaries to realize persistence.
Protection Evasion T1140 Deobfuscate/Decode Recordsdata or Data Some backdoors of FontOnLake can decrypt AES-encrypted and serialized communication and base64 decode encrypted C&C handle.
T1222.002 File and Listing Permissions Modification: Linux and Mac File and Listing Permissions Modification FontOnLake’s backdoor can change the permissions of the file it needs to execute.
T1564 Cover Artifacts FontOnLake hides its connections and processes with rootkits.
T1564.001 Cover Artifacts: Hidden Recordsdata and Directories FontOnLake hides its recordsdata with rootkits.
T1027 Obfuscated Recordsdata or Data FontOnLake packs its executables with UPX.
T1014 Rootkit FontOnLake makes use of rootkits to cover the presence of its processes, recordsdata, community connections and drivers.
Credential Entry T1556 Modify Authentication Course of FontOnLake modifies sshd to gather credentials.
Discovery T1083 File and Listing Discovery One in all FontOnLake’s backdoors can checklist recordsdata and directories.
T1082 System Data Discovery FontOnLake can accumulate system data from the sufferer’s machine.
Lateral Motion T1021.004 Distant Providers: SSH FontOnLake collects ssh credentials and most likely intends to make use of them for lateral motion.
Command and Management T1090 Proxy FontOnLake can function a proxy.
T1071.001 Utility Layer Protocol: Internet Protocols FontOnLake acquires extra C&C servers over HTTP.
T1071.002 Utility Layer Protocol: File Switch Protocols FontOnLake can obtain extra Python recordsdata to be executed over FTP.
T1132.001 Knowledge Encoding: Normal Encoding FontOnLake makes use of base64 to encode HTTPS responses.
T1568 Dynamic Decision FontOnLake can use HTTP to obtain sources that comprise an IP handle and port quantity pair to hook up with and purchase its C&C. It could actually use dynamic DNS decision to assemble and resolve to a randomly chosen area.
T1573.001 Encrypted Channel: Symmetric Cryptography FontOnLake makes use of AES to encrypt communication with its C&C.
T1008 Fallback Channels FontOnLake can use dynamic DNS decision to assemble and resolve to a randomly chosen area. One in all its rootkits additionally listens for specifically crafted packets, which instruct it to obtain and execute extra recordsdata. It additionally each connects to a C&C and accepts connections on all interfaces.
T1095 Non-Utility Layer Protocol FontOnLake makes use of TCP for communication with its C&C.
T1571 Non-Normal Port Nearly each pattern of FontOnLake makes use of a novel non-standard port.
Exfiltration T1041 Exfiltration Over C2 Channel FontOnLake makes use of its C&C to exfiltrate collected knowledge.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts