Cybersecurity researchers have detailed a brand new marketing campaign that possible targets entities in Southeast Asia with a beforehand unrecognized Linux malware that is engineered to allow distant entry to its operators, along with amassing credentials and performance as a proxy server.
The malware household, dubbed “FontOnLake” by Slovak cybersecurity agency ESET, is claimed to function “well-designed modules” which are repeatedly being upgraded with new options, indicating an lively improvement section. Samples uploaded to VirusTotal level to the chance that the very first intrusions using this menace have been taking place as early as Could 2020.
and are monitoring the identical malware beneath the moniker HCRootkit.
“The sneaky nature of FontOnLake’s instruments together with superior design and low prevalence counsel that they’re utilized in focused assaults,” ESET researcher Vladislav Hrčka. “To gather information or conduct different malicious exercise, this malware household makes use of modified reliable binaries which are adjusted to load additional parts. In truth, to hide its existence, FontOnLake’s presence is at all times accompanied by a rootkit. These binaries are generally used on Linux techniques and might moreover function a persistence mechanism.”
FontOnLake’s toolset consists of three parts that encompass trojanized variations of reliable Linux utilities which are used to load kernel-mode rootkits and user-mode backdoors, all of which talk with each other utilizing digital recordsdata. The C++-based implants themselves are designed to observe techniques, secretly execute instructions on networks, and exfiltrate account credentials.
A second permutation of the backdoor additionally comes with capabilities to behave as a proxy, manipulate recordsdata, obtain arbitrary recordsdata, whereas a 3rd variant, in addition to incorporating options from the opposite two backdoors, is provided to execute Python scripts and shell instructions.
ESET stated it discovered two totally different variations of the Linux rootkit that is primarily based on an open-source challenge referred to asand share overlaps in performance, together with hiding processes, recordsdata, community connections, and itself, whereas additionally having the ability to perform file operations, and extract and execute the user-mode backdoor.
It is presently not recognized how the attackers acquire preliminary entry to the community, however the cybersecurity firm famous that the menace actor behind the assaults is “overly cautious” to keep away from leaving any tracks by counting on totally different, distinctive command-and-control (C2) servers with various non-standard ports. All of the C2 servers noticed within the VirusTotal artifacts are now not lively.
“Their scale and superior design counsel that the authors are effectively versed in cybersecurity and that these instruments is likely to be reused in future campaigns,” Hrčka stated. “As a lot of the options are designed simply to cover its presence, relay communication, and supply backdoor entry, we consider that these instruments are used largely to keep up an infrastructure which serves another, unknown, malicious functions.”