Security News > 2021 > October > Researchers Warn of FontOnLake Rootkit Malware Targeting Linux Systems
Cybersecurity researchers have detailed a new campaign that likely targets entities in Southeast Asia with a previously unrecognized Linux malware that's engineered to enable remote access to its operators, in addition to amassing credentials and function as a proxy server.
The malware family, dubbed "FontOnLake" by Slovak cybersecurity firm ESET, is said to feature "Well-designed modules" that are continuously being upgraded with new features, indicating an active development phase.
"To collect data or conduct other malicious activity, this malware family uses modified legitimate binaries that are adjusted to load further components. In fact, to conceal its existence, FontOnLake's presence is always accompanied by a rootkit. These binaries are commonly used on Linux systems and can additionally serve as a persistence mechanism."
FontOnLake's toolset includes three components that consist of trojanized versions of legitimate Linux utilities that are used to load kernel-mode rootkits and user-mode backdoors, all of which communicate with one another using virtual files.
A second permutation of the backdoor also comes with capabilities to act as a proxy, manipulate files, download arbitrary files, while a third variant, besides incorporating features from the other two backdoors, is equipped to execute Python scripts and shell commands.
ESET said it found two different versions of the Linux rootkit that's based on an open-source project called Suterusu and share overlaps in functionality, including hiding processes, files, network connections, and itself, while also being able to carry out file operations, and extract and execute the user-mode backdoor.
News URL
Related news
- GTPDOOR Linux Malware Targets Telecoms, Exploiting GPRS Roaming Networks (source)
- New Bifrost malware for Linux mimics VMware domain for evasion (source)
- New BIFROSE Linux Malware Variant Using Deceptive VMware Domain for Evasion (source)
- Stealthy GTPDOOR Linux malware targets mobile operator networks (source)
- Magnet Goblin hackers use 1-day flaws to drop custom Linux malware (source)
- Hackers leverage 1-day vulnerabilities to deliver custom Linux malware (source)
- Week in review: Cybersecurity job openings, hackers use 1-day flaws to drop custom Linux malware (source)
- Suspected Russian Data-Wiping 'AcidPour' Malware Targeting Linux x86 Devices (source)