Cybersecurity researchers have identified a new campaign that is likely targeting Southeast Asian companies with a previously unknown Linux virus designed to provide remote access to its operators and collect credentials and act as a proxy server.
ESET, a Slovak cybersecurity organization, has named the malware family “FontOnLake.” It is reported to have “well-designed modules” constantly upgraded with new features, indicating that it is still under development.
The same malware is also being tracked by Lacework Labs and Avast under the name HCRootkit.
According to an ESET researcher, FontOnLake’s tools are stealthy, and their advanced design and limited prevalence indicate that they are employed in targeted attacks.
This malware family leverages modified legal programs that have been tweaked to load additional components to collect data or carry out other harmful activities.
In reality, FontOnLake is always accompanied by a rootkit to hide its presence. These binaries are widely used on Linux systems, and they may also be used as a persistence method.
FontOnLake’s toolkit consists of three components: trojanized copies of genuine Linux utilities used to load kernel-mode rootkits and user-mode backdoors, and virtual files used to interact with one another. The C++-based implants are intended to monitor computers, perform instructions on networks invisibly, and steal account credentials.
A second variation of the backdoor can operate as a proxy, alter files, and download arbitrary files. In addition to combining characteristics from the other two backdoors, a third variant can also run Python scripts and shell commands.
How attackers gain initial access to the network is not known yet. However, the threat actor behind the attacks is overly careful to avoid leaving any footprints depending on distinct, unique command-and-control (C2) servers with varying non-standard ports. All the C2 servers in the VirusTotal artifacts are no longer operational.
Because of their size and complex design, the creators appear to be well-versed in cybersecurity, and these tools may be used again in future campaigns.
As most functions are designed solely to conceal its presence, relay communication, and enable backdoor access, it is assumed that these tools are primarily employed to maintain an infrastructure that supports other, unknown, malicious goals.