Relatively new malware for Linux is quietly making its way to several Linux Distros through legitimate but infected binaries. The FontOnLake virus has surprisingly sophisticated methods to evade detection and ensure persistence presence on infected computers.
Malware for Linux Distros isn’t common. But this situation is gradually changing, partly because Microsoft has embraced Linux. The FontOnLake virus is a new breed of malware that successfully keeps a low profile and footprint. However, once successfully infected, it is quite difficult to rid the computers of the same.
New Linux malware resides inside legitimate utilities, but the distribution network still remains undiscovered:
Researchers at ESET have been tracking the FontOnLake malware for about a year and a half now. Through a detailed report, the cybersecurity company claims the first sample with the virus’ signature surfaced in May 2020.
Researchers believe FontOnLake may be targeting attacks, executed by trained and sophisticated operators. This is because every attack instance used unique Command and Control (C2) servers. The attacks also relied on multiple non-standard ports.
Cyber Alert!!
Linux under attack by FontOnLake, a new malware family, that utilizes custom and well-designed modules for targeting https://t.co/UKkKMm67Wu #entersoft #FontOnLake #malware #linux #networksecurity #rootkit #backdoor #infosec #cybersecurity #cybercrime pic.twitter.com/Gm9WVJYXUm— Entersoft (@EntersoftTeam) October 11, 2021
The FontOnLake malware is interesting primarily because its operators are distributing the same by lacing legitimate binaries. Simply put, the Linux malware is spreading through standard, and presumably popular, applications for Linux Distros.
It is rather difficult to load Linux applications with malware. Hence, it is more than likely that the operators of this malware took pains to compile popular utilities for Linux OS, and then distributed them.
ESET researchers have discovered a previously unknown malware family, dubbed #FontOnLake, that utilises custom and well-designed modules, targeting operating systems running @Linux.#Linux #Cybersecurity #ESETResearch @ESETResearch
— ESET UK (@ESETUK) October 11, 2021
What’s concerning is the effectiveness of the malware at infecting a victim’s Linux PC, and then staying put. Explaining the same, Vladislav Hrčka, malware analyst and reverse engineer at ESET, said:
“All the trojanized files are standard Linux utilities and serve as a persistence method because they are commonly executed on system start-up.”
What does the FontOnLake malware do after infecting a Linux PC?
The FontOnLake malware comes prepackaged inside the modified and recompiled Linux binaries. Incidentally, these binaries too have a malicious purpose. Reports indicate they load additional payloads, collect information, or execute other malicious actions.
FontOnLake malware infects Linux systems via trojanized utilities – @Ionut_Ilascuhttps://t.co/Id7jSKGy5I
— BleepingComputer (@BleepinComputer) October 10, 2021
So far, researchers have discovered the malware attempts to open three backdoors to Linux PCs and then tries hard to keep them open. These backdoors provide operators remote access to the infected system.
The FontOnLake malware relies on a sophisticated rootkit, called Suterusu, to hide its presence. This rootkit also pulls updates with newer payloads. Moreover, it ensures there are backup backdoors. Suterusu can hide processes, files, the primary malware, and network connections.
The main purpose of the rootkit component is to hide the stage 2 payload and ensure the traffic from the CNC is bypassing the firewall by installing a netfilter hook and redirecting the CNC packets to make it look like the packets are coming from localhost. 4/7
— Avast Threat Labs (@AvastThreatLabs) August 25, 2021
It appears that the malware could be an advanced version of HCRootkit, which AVAST discovered. Even this malware relied on Suterusu to hide and pulled in additional payloads. Additional investigation by Lacework Labs, also indicates the two malware strains could be the same.