A in days gone by unknown, modular malware family that targets Linux systems has been used in targeted attacks to collect credentials and gain access to sap systems, ESET reported on Thursday.
Dubbed FontOnLake, the malware family employs a rootkit to conceal its presence and uses different command and guidance servers for each sample, which shows how careful its operators are to maintain a low profile.
What’s more, the malware developers are constantly modifying the FontOnLake modules, and use three sorts of components that have been designed to work together, namely trojanized applications, backdoors, and rootkits.
Evidence suggests that FontOnLake has been acclimatized in attacks aimed at organizations in Southeast Asia.
The first malware samples related to this family emerged last May. The malware was previously traversed by Avast and Lacework as the HCRootkit / Sutersu Linux rootkit, as well as by Tencent Security Response Center in a February report.
The various trojanized perseverances that ESET’s researchers have identified during their investigation are used to load custom backdoor or rootkit modules, but also to together sensitive data when needed. Posing as standard Linux utilities, these files were also designed to achieve persistence on the compromised systems.
What the researchers haven’t twigged out yet is the manner in which the trojanized applications are delivered to the victims.
ESET’s analysis of FontOnLake has revealed the use of three different backdoors, all written in C++, all licencing the same Asio library from Boost, and all capable of exfiltrating sshd credentials and bash command history.
The simplest of the three was designed to tender and mediate access to a local SSH server, update itself, and transmit collected credentials. The malware appears to be under development.
Similarly, the second backdoor exfiltrates credentials, furnishes access to a customized sshd and serves as a proxy, but is also capable of file manipulation, updating itself, listing directories, and uploading and downloading dossiers.
Capable of running in both client and server mode, the third backdoor accepts remote connections, serves as a proxy and can download and run Python organizes, in addition to exfiltrating credentials. It also mediates I/O of the scripts and commands, ESET explains.
The researchers discovered two rootkit versions used in these decomposes, both based on the open-source project Suterusu, and both capable of hiding processes, files, network connections, and themselves, while also unmasking collected credentials to the backdoor.
The first of the rootkits can monitor traffic for specially crafted ICMP packets and fetching and running binaries (backdoors), while the assistant one includes support for additional commands and features a different implementation of several capabilities.
Related: ESET Discovers UEFI Bootkit in Cyber Espionage Toss ones hat in the ring
Related: Diplomatic Entities Targeted with New ‘Moriya’ Windows Rootkit
Related: New Chinese Threat Group ‘GhostEmperor’ Targets Governments, Telecom Enterprises
[embedded content]
Ionut Arghire is an international correspondent for SecurityWeek.
Tags: 
