And the modules employed by this malware are constantly under development and offer remote access to the operators, including collection of credentials, and serving as a proxy server; while to collect data or conduct other malicious activity, this malware uses modified legitimate binaries that are adjusted to load further components.
The sneaky nature of FontOnLake in combination with the advanced design suggest that they are used in targeted attacks; with the binaries such as cat, kill or sshd which are commonly used on Linux systems and additionally serve as a persistence mechanism.
How FontOnLake Rootkit Malware targets Linux Systems?
According to ESET researchers, the first known file of this malware family appeared on VirusTotal last May, with other samples uploaded throughout the year. The location of the C&C server from which the samples were uploaded to VirusTotal might indicate that its targets are mainly in Southeast Asia.
FontOnLake’s currently known components can be divided into the following groups: Trojanized applications, Backdoors and Rootkits – which are kernel mode components that mostly hide and disguise their presence, assist with updates, or provide fallback backdoors.
The trojanized applications are used mostly to load custom backdoor or rootkit modules, but aside from that, they can also collect sensitive data. And all the trojanized files are standard Linux utilities, with each serving as a persistence method because they are commonly executed on system start-up. Albeit, the initial way these trojanized applications get to their victims is yet unknown.
The different backdoors discovered are written in C++ and all use, though in slightly different ways, the same Asio library from Boost for asynchronous network and low-level I/O. With Poco, Protobuf, and features from STL such as smart pointers used as well.
How to Mitigate against FontOnLake Malware?
For organizations or individuals who want to protect their Linux endpoints or servers from this malware threat, they should use a multilayered security product and ensure that their version of Linux distribution is updated to the latest version.
If you require further technical details on FontOnLake, you can check out the comprehensive white paper provided by ESET.