Posted on October 11, 2021 at 2:55 PM
Researchers detect Sneaky FontOnMalware on Linux Systems
Researchers have identified a malware family that uses custom and highly sophisticated modules to target Linux systems. According to researchers, this malware family was previously unknown and is now dubbed FontOnLake.
The research from ESET states that this malware family has been regularly developed to offer remote access to user systems. Furthermore, it is used to phish for credentials and works as a proxy server.
Malware uses Rootkit to Hide its existence
The report detailed how this malware worked when collecting data such as user credentials. It executes altered legitimate binaries that have been configured to execute more features into the systems. Moreover, the threat actors have added a rootkit to hide the existence of this malware.
The binaries used by this malware family is similar to what is used on Linux systems. The researchers noted that these binaries could be used to fuel further attacks on systems. The sophisticated design of this malware and the lengths to which threat actors have gone to ensure it is not detected in systems shows that it could be engineered to conduct targeted attacks.
Further analysis into this malware shows that its targets are mainly based in Southeast Asia. The malware was first detected in May last year on VirusTotal. More samples of the malware were then collected throughout the year. The data from VirusTotal explaining where these samples were uploaded and the C&C server show that its target group is in the Southeast Asian region.
A further evaluation into how the FontOnLake malware operates shows that the threat actors behind it are extremely cautious to avoid detection. The vast majority of samples exploit the C&C servers with different non-standard ports. Moreover, all of the C&C servers used in the uploaded samples were inactive, showing that they might have been deactivated following the upload.
The ESET researchers also discovered trojanized applications that are mainly used to launch custom backdoor or rootkit modules. The threat actors behind them can also use these applications to collect sensitive information on users stored in their Linux systems.
Patches of the trojanized applications also show a high possibility that they were executed at the source code level, indicating that these applications could have been compiled and later replaced by the original applications.
An analysis of the trojanized files revealed that they were standard Linux utilities. Moreover, each application offered a persistent method of attack because they are mainly loaded during the boot-up process.
The ESET researchers are still analyzing this malware for more details, such as how the trojanized applications were deployed on a victim’s device. The analysis shows that the trojanized application used a virtual file to communicate with the rootkit. An operator can request the virtual file to receive or send data, which is later exported to the backdoor component.
Malware uses Three Different Backdoors
The ESET researchers further stated that three different backdoors are connected to the malware. The three backdoors are written in C++ and create a bridge to the same C2 used to export data. What is unique about the malware is that the three backdoors contain sophisticated software design patterns. Besides exfiltrating data, the backdoors can also gather credential data.
The three backdoors also come with different functionalities, and the overlap could mean that they cannot be used together to compromise a single system. Each of the backdoors is also equipped with a custom heartbeat command, which is sent and regularly received, thus keeping the connection active.
“We discovered two marginally different versions of the rootkit, used only one at a time, in each of the three backdoors. There are significant differences between those two rootkits. However, certain aspects of them overlap. Even though the rootkit versions are based on the suterusu open-source project, they contain several of their exclusive custom techniques,” the research stated.
The FontOnLake malware is always interconnected with a kernel-mode rootkit, which gives it a persistent mechanism in affecting Linux systems. Other cybersecurity research firms have also detected the FontOnLake malware family. Research by the Avast cybersecurity firm also shows that the malware’s rootkit has been designed upon the open-source Suterusu project.
Other researchers that have also published research that could indicate a similar type of malware include Lacework Labs and Tencent. The ESET researchers have also issued a technical whitepaper that examines the FontOnLake malware and its working design.
The researchers further stated that “Companies or individuals who want to protect their Linux endpoints or servers from this threat should use a multilayered security product and an updated version of their Linux distribution; some of the samples we have analyzed were created specifically for CentOS and Debian.”