Researchers Warn of FontOnLake Rootkit Malware Focusing on Linux Methods

Linux malware

Cybersecurity researchers have detailed a brand new marketing campaign that probably targets entities in Southeast Asia with a beforehand unrecognized Linux malware that is engineered to allow distant entry to its operators, along with amassing credentials and performance as a proxy server.

The malware household, dubbed “FontOnLake” by Slovak cybersecurity agency ESET, is alleged to function “well-designed modules” which are repeatedly being upgraded with new options, indicating an lively improvement section. Samples uploaded to VirusTotal level to the chance that the very first intrusions using this menace have been occurring as early as Could 2020.

Avast and Lacework Labs are monitoring the identical malware beneath the moniker HCRootkit.

Automatic GitHub Backups

“The sneaky nature of FontOnLake’s instruments together with superior design and low prevalence counsel that they’re utilized in focused assaults,” ESET researcher Vladislav Hrčka stated. “To gather information or conduct different malicious exercise, this malware household makes use of modified legit binaries which are adjusted to load additional parts. Actually, to hide its existence, FontOnLake’s presence is all the time accompanied by a rootkit. These binaries are generally used on Linux techniques and might moreover function a persistence mechanism.”

FontOnLake’s toolset consists of three parts that encompass trojanized variations of legit Linux utilities which are used to load kernel-mode rootkits and user-mode backdoors, all of which talk with each other utilizing digital recordsdata. The C++-based implants themselves are designed to observe techniques, secretly execute instructions on networks, and exfiltrate account credentials.

Linux malware

A second permutation of the backdoor additionally comes with capabilities to behave as a proxy, manipulate recordsdata, obtain arbitrary recordsdata, whereas a 3rd variant, apart from incorporating options from the opposite two backdoors, is supplied to execute Python scripts and shell instructions.

ESET stated it discovered two completely different variations of the Linux rootkit that is based mostly on an open-source venture known as Suterusu and share overlaps in performance, together with hiding processes, recordsdata, community connections, and itself, whereas additionally having the ability to perform file operations, and extract and execute the user-mode backdoor.

Prevent Data Breaches

It is presently not recognized how the attackers achieve preliminary entry to the community, however the cybersecurity firm famous that the menace actor behind the assaults is “overly cautious” to keep away from leaving any tracks by counting on completely different, distinctive command-and-control (C2) servers with various non-standard ports. All of the C2 servers noticed within the VirusTotal artifacts are not lively.

“Their scale and superior design counsel that the authors are properly versed in cybersecurity and that these instruments is likely to be reused in future campaigns,” Hrčka stated. “As a lot of the options are designed simply to cover its presence, relay communication, and supply backdoor entry, we imagine that these instruments are used principally to keep up an infrastructure which serves another, unknown, malicious functions.”

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts