IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

FontOnLake: "Sophisticated" malware targets Linux systems

The malware stands out for its ability to maintain persistence on the infected system

Security researchers have uncovered new malware dubbed “FontOnLake” that is being used in a new campaign that targets Linux systems.

Present since at least May 2020, according to samples uploaded to VirusTotal, the malware stands out for its ability to maintain persistence on the infected system and for the sophistication of its design.

Its installation is done through modified and trojanized versions of popular Linux commands, normally present in the coreutils package or installed by default on some systems. These commands include cat, kill, sftp, and sshd, and often launch at system startup and allow the malware to be persistent. They are also used to install custom backdoors and rootkits.

Researchers have discovered three custom backdoors written in C ++, which are related to FontOnLake malware and provide operators with remote access to the infected system.

“All the trojanized files are standard Linux utilities and each serves as a persistence method because they are commonly executed on system start-up. The initial way in which these trojanized applications get to their victims is not known,” said Vladislav Hrčka, malware analyst and reverse engineer at ESET.

Once the malware is on the system, it uses the installed backdoors to retrieve credentials and Bash history, and then sends them to its command and control (C&C) server. The rootkits in turn are used to allow malware to hide its existence and activities on the system of the victim.

Related Resource

How to secure workloads in hybrid clouds

Cloud workload protection

Whitepaper front coverFree download

The communication between trojanized apps and rootkit is done through a virtual file created by the latter. An operator can read or write data to this file and extract it from the backdoor component.

Researchers suspect that FontOnLake is being used for targeted attacks. Its creators are also careful: different C&C servers are used in each of the samples on VirusTotal and have since been deactivated. Analysis seems to indicate that the virus is present in Southeast Asia. Some of the samples show that Debian and CentOS are among the targeted distributions.

ESET says FontOnLake may be the same malware that was previously analyzed by researchers at the s Tencent Security Response CenterAvast, and Lacework Labs.

“Companies or individuals who want to protect their Linux endpoints or servers from this threat should use a multilayered security product and an updated version of their Linux distribution,” said Hrčka.

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download

Recommended

Mastering endpoint security implementation
Security

Mastering endpoint security implementation

18 May 2022
The Total Economic Impact™ of Apple Mac in Enterprise: M1 update
Whitepaper

The Total Economic Impact™ of Apple Mac in Enterprise: M1 update

12 May 2022
Dell Technologies World 2022: Dell unveils fastest storage architecture in company history
Server & storage

Dell Technologies World 2022: Dell unveils fastest storage architecture in company history

4 May 2022
Dell Technologies World 2022: Dell unveils security offerings for major cloud providers
public cloud

Dell Technologies World 2022: Dell unveils security offerings for major cloud providers

3 May 2022

Most Popular

Europe's first autonomous petrol station opens in Lisbon
automation

Europe's first autonomous petrol station opens in Lisbon

23 May 2022
Nvidia pauses hiring to help cope with inflation
Careers & training

Nvidia pauses hiring to help cope with inflation

23 May 2022
Windows 11's nifty new search feature has one major downside
Microsoft Windows

Windows 11's nifty new search feature has one major downside

23 May 2022