ESET stated on Thursday that a previously unknown modular malware family that targets Linux systems has been used in targeted assaults to harvest credentials and obtain access to victim systems.
The virus family, dubbed FontOnLake, uses a rootkit to hide its existence and uses various command and control servers for each copy, demonstrating how meticulous its operators are to keep a low profile.
Furthermore, the malware authors are constantly tweaking the FontOnLake modules, and they employ three types of components that are meant to function together: Trojanized apps, backdoors, and rootkits.
FontOnLake appears to have been used in assaults against organisations in Southeast Asia, according to evidence.
Last May, the first malware samples from this family surfaced. The malware was originally known as the HCRootkit / Sutersu Linux rootkit by Avast and Lacework, as well as the Tencent Security Response Center in a February report.
The trojanized programmes discovered by ESET’s researchers during their examination are used to load bespoke backdoor or rootkit modules, as well as collect sensitive data as necessary. These files were disguised as regular Linux utilities in order to maintain persistence on the infected systems.
The researchers are still trying to figure out how the trojanized software are distributed to the victims.
FontOnLake was discovered to employ three different backdoors, all written in C++, all using the same Asio library from Boost, and all capable of stealing sshd credentials and bash command history, according to ESET’s investigation.
The simplest of the three was created to initiate and mediate access to a local SSH server, as well as to update and transmit credentials gathered. The malware appears to be in the works.
The second backdoor, meanwhile, exfiltrates passwords, allows access to a customised sshd, and acts as a proxy, but it can also manipulate files, update itself, list folders, and upload and download files.
The third backdoor, which can function in both client and server mode, takes remote connections, acts as a proxy, and can download and run Python scripts, as well as exfiltrating passwords. ESET explains that it also mediates the I/O of the scripts and commands.
The researchers uncovered two rootkit variants used in these assaults, both based on the open-source project Suterusu and capable of hiding programmes, files, network connections, and themselves, as well as exposing credentials acquired to the backdoor.
The first rootkit can monitor traffic for specially generated ICMP packets as well as fetching and running binaries (backdoors), whereas the second has support for more commands and a modified implementation of several capabilities.