Previously undetected FontOnLake Linux malware used in targeted attacks
Latest in cybersecurity.
ESET researchers spotted a previously unknown, modular Linux malware, dubbed FontOnLake, that has been employed in targeted attacks.
ESET researchers spotted a previously unknown, modular Linux malware, dubbed FontOnLake, that was employed in targeted attacks on organizations in Southeast Asia. According to the experts, modules of this malware family are under development and continuously improved.
“ESET researchers have discovered a previously unknown malware family that utilizes custom and well-designed modules, targeting systems running Linux. Modules used by this malware family, which we dubbed FontOnLake, are constantly under development and provide remote access to the operators, collect credentials, and serve as a proxy server.” reads the report published by the experts.
The malicious code was used by the threat actors to collect credentials from infected systems and acts as a proxy server.
FontOnLake is always accompanied by a rootkit to conceal its existence, the components used by the malware can be divided into three following groups that interact with each other:
- Trojanized applications – modified legitimate binaries that are adjusted to load further components, collect data, or conduct other malicious activities.
- Backdoors – user mode components serving as the main point of communication for its operators.
- Rootkits – kernel mode components that mostly hide and disguise their presence, assist with updates, or provide fallback backdoors.
The first FontOnLake sample was spotted by the researchers in May 2020, but other samples were discovered throughout the year. Other researchers teams also analyzed the same threat, including the Tencent Security Response
Center, Avast and Lacework Labs.
All the samples detected by the researchers used unique C&C servers with varying non-standard ports to remain under the radar. At the time of writing the report, the C&C servers used in samples uploaded to VirusTotal were not active, likely because the operators been disabled them after they were discovered.
The experts discovered identifies multiple trojanized applications that are used to load custom backdoor or rootkit modules, the malicious code was also able to collect sensitive data from infected systems.
ESET researchers discovered three different backdoors, all are written in C++ and all use the same Asio library from Boost. The authors also used other third-party libraries such as Poco, or Protobuf.
via Security Affairs https://ift.tt/2ISWpiN
October 10, 2021 at 02:54AM