Recent findings from cybersecurity researchers have unveiled a targeted campaign likely aimed at entities in Southeast Asia utilizing a novel form of Linux malware, identified as “FontOnLake.” This malware is designed to facilitate remote access for its operators, gather credentials, and serve as a proxy server.
The cybersecurity firm ESET, based in Slovakia, has classified this malware family as having “well-architected modules” that are continually enhanced, indicating that its development is ongoing. Analysis of samples uploaded to VirusTotal suggests that exploitations associated with this malware may have begun as early as May 2020.
Other cybersecurity organizations, such as Avast and Lacework Labs, refer to this malware under the name HCRootkit, signaling that its threat landscape is being closely monitored across various platforms.
ESET researcher Vladislav Hrčka posits that the sophisticated design combined with the stealthy nature of FontOnLake suggests its usage in targeted attacks. The malware employs modified legitimate binaries that can load additional components, and its presence is typically masked by a rootkit to avoid detection. The modified binaries are common in Linux environments, also functioning as persistence mechanisms that ensure continued access.
The toolkit associated with FontOnLake includes three distinct components, each incorporating trojanized versions of legitimate Linux utilities. These tools are strategically designed to deploy kernel-mode rootkits and user-mode backdoors, allowing for communication through virtual files. The implants, built in C++, are intended to monitor systems, execute commands clandestinely, and extract user credentials.
One version of the backdoor additionally offers capabilities to act as a proxy, file manipulation, and the ability to download arbitrary files. Another variant further expands its functionality by incorporating features from both preceding backdoors, as well as the capacity to execute Python scripts and shell commands.
ESET has identified two distinct iterations of the Linux rootkit based on the open-source project Suterusu. Both versions exhibit overlapping functionalities, including the ability to conceal processes, files, and network connections, while executing essential file operations and triggering the user-mode backdoor.
The specific methods through which initial access to networks is achieved remain unclear. However, ESET noted that the threat actors demonstrate extreme caution, often employing various unique command-and-control (C2) servers operating on non-standard ports. Presently, all observed C2 servers associated with the VirusTotal artifacts are inactive.
According to Hrčka, the scale and sophistication of these tools suggest that the developers possess a strong understanding of cybersecurity, with the potential for these technologies to be utilized in future campaigns. Most of the features appear directed toward maintaining stealth, facilitating communication, and ensuring backdoor access, likely serving an infrastructure designed for other, undisclosed malicious objectives.
