ESET security team had identified a new malware family named “FontOnLake” that are constantly upgraded with new functionality to infect victims with an indication of an active development phase. According to samples uploaded to VirusTotal , the first intrusions involving this threat could have occurred as early as May 2020.
ESET researchers Vladislav Hrka reported that , the Nature of FontOnLake ‘s tools together with their complex design and low usage suggest that they are used in targeted attacks. This malware family uses programmes that have been modified to load additional components in order to collect data.
These binaries are widely used on Linux Systems and they can be used as a storage mechanism.
FontOnLake can be divided into three following groups that interact with each other
- Trojanized applications – modified legitimate binaries that are adjusted to load further components, collect data, or conduct other malicious activities.
- Backdoors – user mode components serving as the main point of communication for its operators.
- Rootkits – kernel mode components that mostly hide and disguise their presence, assist with updates, or provide fallback backdoors.
The overall functionality of these backdoors consists of the following methods:
- Exfiltrating the collected data
- Creating a bridge between a customer server running locally and its C&C
- Manipulating files (for instance, upload/download, create/delete, directory listing, modify attributes, and so on)
- Serving as a proxy
- Executing arbitrary shell commands and python scripts
Additionally the team has discovered the two different versions of the Linux rootkit that are based on an open-source project called Suterusu and share functionality overlaps, such as the ability to hide processes, files, network connections, and itself, as well as perform file operations and extract and execute the user-mode backdoor.
Hrka said that ,”Their magnitude and complex design indicate that the authors are cybersecurity experts, and these tools might be utilised in future attacks.”
Because the majority of the functions are meant to hide its presence, relay communication and give backdoor access. These tools are used to maintain an infrastructure that supports undisclosed, malevolent purposes.
Indicators of Compromise
Samples
| SHA-1 | Description | Detection name |
| 1F52DB8E3FC3040C017928F5FFD99D9FA4757BF8 | Trojanized cat | Linux/FontOnLake |
| 771340752985DD8E84CF3843C9843EF7A76A39E7 | Trojanized kill | |
| 27E868C0505144F0708170DF701D7C1AE8E1FAEA | Trojanized sftp | |
| 45E94ABEDAD8C0044A43FF6D72A5C44C6ABD9378 | Trojanized sshd | |
| 1829B0E34807765F2B254EA5514D7BB587AECA3F | Custom sshd | |
| 8D6ACA824D1A717AE908669E356E2D4BB6F857B0 | Custom sshd | |
| 38B09D690FAFE81E964CBD45EC7CF20DCB296B4D | Backdoor 1 variant 1 | |
| 56556A53741111C04853A5E84744807EEADFF63A | Backdoor 1 variant 2 | |
| FE26CB98AA1416A8B1F6CED4AC1B5400517257B2 | Backdoor 1 variant 3 | |
| D4E0E38EC69CBB71475D8A22EDB428C3E955A5EA | Backdoor 1 variant 4 | |
| 204046B3279B487863738DDB17CBB6718AF2A83A | Backdoor 2 variant 1 | |
| 9C803D1E39F335F213F367A84D3DF6150E5FE172 | Backdoor 2 variant 2 | |
| BFCC4E6628B63C92BC46219937EA7582EA6FBB41 | Backdoor 2 variant 3 | |
| 515CFB5CB760D3A1DA31E9F906EA7F84F17C5136 | Backdoor 3 variant 4 | |
| A9ED0837E3AF698906B229CA28B988010BCD5DC1 | Backdoor 3 variant 5 | |
| 56CB85675FE7A7896F0AA5365FF391AC376D9953 | Rootkit 1 version 1 | |
| 72C9C5CE50A38D0A2B9CEF6ADEAB1008BFF12496 | Rootkit 1 version 2 |
C&Cs
From samples:
47.107.60[.]212
47.112.197[.]119
156.238.111[.]174
172.96.231[.]69
hm2.yrnykx[.]com
ywbgrcrupasdiqxknwgceatlnbvmezti[.]com
yhgrffndvzbtoilmundkmvbaxrjtqsew[.]com
wcmbqxzeuopnvyfmhkstaretfciywdrl[.]name
ruciplbrxwjscyhtapvlfskoqqgnxevw[.]name
pdjwebrfgdyzljmwtxcoyomapxtzchvn[.]com
nfcomizsdseqiomzqrxwvtprxbljkpgd[.]name
hkxpqdtgsucylodaejmzmtnkpfvojabe[.]com
etzndtcvqvyxajpcgwkzsoweaubilflh[.]com
esnoptdkkiirzewlpgmccbwuynvxjumf[.]name
ekubhtlgnjndrmjbsqitdvvewcgzpacy[.]name
From internet-wide scan:
27.102.130[.]63
Filenames
/lib/modules/%VARIABLE%/kernel/drivers/input/misc/ati_remote3.ko
/etc/sysconfig/modules/ati_remote3.modules
/tmp/.tmp_%RANDOM%
Virtual filenames
/proc/.dot3
/proc/.inl
–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin
CyberWorkx 