Posted on Leave a comment

New Rootkit Malware Targeting Linux Systems With Advanced Features.

ESET security team had identified a new malware family named “FontOnLake” that are constantly upgraded with new functionality to infect victims with an indication of an active development phase. According to samples uploaded to VirusTotal , the first intrusions involving this threat could have occurred as early as May 2020.

ESET researchers Vladislav Hrka reported that , the Nature of FontOnLake ‘s tools together with their complex design and low usage suggest that they are used in targeted attacks. This malware family uses  programmes that have been modified to load additional components in order to collect data.

These binaries are widely used on Linux Systems and they can be used as a storage mechanism.   

FontOnLake can be divided into three following groups that interact with each other

  • Trojanized applications – modified legitimate binaries that are adjusted to load further components, collect data, or conduct other malicious activities.
  • Backdoors – user mode components serving as the main point of communication for its operators.
  • Rootkits – kernel mode components that mostly hide and disguise their presence, assist with updates, or provide fallback backdoors.
Source:ESET

The overall functionality of these backdoors consists of the following methods:

  • Exfiltrating the collected data
  • Creating a bridge between a customer server running locally and its C&C
  • Manipulating files (for instance, upload/download, create/delete, directory listing, modify attributes, and so on)
  • Serving as a proxy
  • Executing arbitrary shell commands and python scripts

Additionally the team has discovered the two different versions of the Linux rootkit that are based on an open-source project called Suterusu and share functionality overlaps, such as the ability to hide processes, files, network connections, and itself, as well as perform file operations and extract and execute the user-mode backdoor.

Hrka said that ,”Their magnitude and complex design indicate that the authors are cybersecurity experts, and these tools might be utilised in future attacks.”

Because the majority of the functions are meant  to hide its presence, relay communication and give backdoor access. These tools are used to maintain an infrastructure that supports undisclosed, malevolent purposes.

Indicators of Compromise

Samples

SHA-1DescriptionDetection name
1F52DB8E3FC3040C017928F5FFD99D9FA4757BF8Trojanized catLinux/FontOnLake
771340752985DD8E84CF3843C9843EF7A76A39E7Trojanized kill
27E868C0505144F0708170DF701D7C1AE8E1FAEATrojanized sftp
45E94ABEDAD8C0044A43FF6D72A5C44C6ABD9378Trojanized sshd
1829B0E34807765F2B254EA5514D7BB587AECA3FCustom sshd
8D6ACA824D1A717AE908669E356E2D4BB6F857B0Custom sshd
38B09D690FAFE81E964CBD45EC7CF20DCB296B4DBackdoor 1 variant 1
56556A53741111C04853A5E84744807EEADFF63ABackdoor 1 variant 2
FE26CB98AA1416A8B1F6CED4AC1B5400517257B2Backdoor 1 variant 3
D4E0E38EC69CBB71475D8A22EDB428C3E955A5EABackdoor 1 variant 4
204046B3279B487863738DDB17CBB6718AF2A83ABackdoor 2 variant 1
9C803D1E39F335F213F367A84D3DF6150E5FE172Backdoor 2 variant 2
BFCC4E6628B63C92BC46219937EA7582EA6FBB41Backdoor 2 variant 3
515CFB5CB760D3A1DA31E9F906EA7F84F17C5136Backdoor 3 variant 4
A9ED0837E3AF698906B229CA28B988010BCD5DC1Backdoor 3 variant 5
56CB85675FE7A7896F0AA5365FF391AC376D9953Rootkit 1 version 1
72C9C5CE50A38D0A2B9CEF6ADEAB1008BFF12496Rootkit 1 version 2

C&Cs

From samples:

47.107.60[.]212
47.112.197[.]119
156.238.111[.]174
172.96.231[.]69
hm2.yrnykx[.]com
ywbgrcrupasdiqxknwgceatlnbvmezti[.]com
yhgrffndvzbtoilmundkmvbaxrjtqsew[.]com
wcmbqxzeuopnvyfmhkstaretfciywdrl[.]name
ruciplbrxwjscyhtapvlfskoqqgnxevw[.]name
pdjwebrfgdyzljmwtxcoyomapxtzchvn[.]com
nfcomizsdseqiomzqrxwvtprxbljkpgd[.]name
hkxpqdtgsucylodaejmzmtnkpfvojabe[.]com
etzndtcvqvyxajpcgwkzsoweaubilflh[.]com
esnoptdkkiirzewlpgmccbwuynvxjumf[.]name
ekubhtlgnjndrmjbsqitdvvewcgzpacy[.]name

From internet-wide scan:

27.102.130[.]63

Filenames

/lib/modules/%VARIABLE%/kernel/drivers/input/misc/ati_remote3.ko
/etc/sysconfig/modules/ati_remote3.modules
/tmp/.tmp_%RANDOM%

Virtual filenames

/proc/.dot3
/proc/.inl

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin

Leave a Reply