In other words, these Trojan horse programs are likely to have been modified at the source code level, which indicates that the attacker has compiled them and replaced the original programs. In addition to carrying malware, the functions of these modified utilities include loading additional payloads, collecting information, and performing other malicious actions.
FontOnLake’s toolset includes three components, which consist of a Trojan horse version of a standard Linux utility, a rootkit for loading the kernel mode, and a backdoor, all of which communicate with each other using virtual files. A custom backdoor based on C++ is designed to monitor the system, execute commands secretly on the network, and leak account credentials. They also use custom heartbeat commands to maintain a connection to the control server.
It is not yet known how the attacker obtained initial access to the network, but the researchers pointed out that the attacker is very cautious and avoids leaving any traces by relying on different and unique command and control (C2) servers and different non-standard ports. Researchers believe that the author of FontOnLake is proficient in network security and has currently disabled all C2 servers observed by VirusTotal.