Cybersecurity researchers have detailed a new campaign that likely targets entities in Southeast Asia with a previously unrecognized Linux malware that's engineered to enable remote access to its operators, in addition to amassing credentials and function as a proxy server.
The malware family, dubbed "FontOnLake" by Slovak cybersecurity firm ESET, is said to feature "well-designed modules" that are continuously being upgraded with a broad range of abilities, indicating an active development phase. Samples uploaded to VirusTotal point to the possibility that the very first intrusions utilizing this threat have been happening as early as May 2020.
Avast and Lacework Labs are tracking the same malware under the moniker HCRootkit.
"The sneaky nature of FontOnLake's tools in combination with advanced design and low prevalence suggest that they are used in targeted attacks," ESET researcher Vladislav Hrčka said. "To collect data or conduct other malicious activity, this malware family uses modified legitimate binaries that are adjusted to load further components. In fact, to conceal its existence, FontOnLake's presence is always accompanied by a rootkit. These binaries are commonly used on Linux systems and can additionally serve as a persistence mechanism."
FontOnLake's toolset includes three components that consist of trojanized versions of legitimate Linux utilities that are used to load kernel-mode rootkits and user-mode backdoors, all of which communicate with one another using virtual files. The C++-based implants themselves are designed to monitor systems, secretly execute commands on networks, and exfiltrate account credentials.
A second permutation of the backdoor also comes with capabilities to act as a proxy, manipulate files, download arbitrary files, while a third variant, besides incorporating features from the other two backdoors, is equipped to execute Python scripts and shell commands.
ESET said it found two different versions of the Linux rootkit that's based on an open-source project called Suterusu and share overlaps in functionality, including hiding processes, files, network connections, and itself, while also being able to carry out file operations, and extract and execute the user-mode backdoor.
It's currently not known how the attackers gain initial access to the network, but the cybersecurity company noted that the threat actor behind the attacks is "overly cautious" to avoid leaving any tracks by relying on different, unique command-and-control (C2) servers with varying non-standard ports. All the C2 servers observed in the VirusTotal artifacts are no longer active.
"Their scale and advanced design suggest that the authors are well versed in cybersecurity and that these tools might be reused in future campaigns," Hrčka said. "As most of the features are designed just to hide its presence, relay communication, and provide backdoor access, we believe that these tools are used mostly to maintain an infrastructure which serves some other, unknown, malicious purposes."