FontOnLake malware infects Linux systems through standard utilities

Researchers from ESET recently discovered a piece of malware that has been infecting Linux systems through standard Linux utilities. The malware is called FontOnLake, thanks to the advanced design of the malware and the continuous upgrade of new features, enabling it to remain active on the infected system.
FontOnLake has multiple modules that interact and communicate with malware operators to steal sensitive data and keep it hidden in the system. ESET researchers found multiple malware samples uploaded to the VirusTotal scanning service, the earliest of which appeared in May 2020.

According to Vladislav Hrčka, malware analyst and reverse engineer at ESET, All the trojanized files are standard Linux utilities and each serves as a persistence method because they are commonly executed on system start-up. The initial way in which these trojanized applications get to their victims is not known. Communication of a trojanized application with its rootkit runs through a virtual file, which is created and managed by the rootkit.

In other words, these Trojan horse programs are likely to have been modified at the source code level, which indicates that the attacker has compiled them and replaced the original programs. In addition to carrying malware, the functions of these modified utilities include loading additional payloads, collecting information, and performing other malicious actions.

FontOnLake’s toolset includes three components, which consist of a Trojan horse version of a standard Linux utility, a rootkit for loading the kernel mode, and a backdoor, all of which communicate with each other using virtual files. A custom backdoor based on C++ is designed to monitor the system, execute commands secretly on the network, and leak account credentials. They also use custom heartbeat commands to maintain a connection to the control server.

It is not yet known how the attacker obtained initial access to the network, but the researchers pointed out that the attacker is very cautious and avoids leaving any traces by relying on different and unique command and control (C2) servers and different non-standard ports. Researchers believe that the author of FontOnLake is proficient in network security and has currently disabled all C2 servers observed by VirusTotal.