FontOnLake: New Linux Malware Used in Targeted Attacks

Description

FortiGuard Labs is aware of a new, Linux malware family named "FontOnLake." FontOnLake is a very sophisticated malware family that contains a Linux rootkit which runs at the kernel level to prolong its shelf life and to ultimately evade detection. Discovered by ESET, the malware was first seen on VirusTotal in May 2020 and appears to have targeted organizations in Southeast Asia. Due to the evasive nature of rootkits, it is likely that the campaign has operated longer and is likely to have operated in other regions (and have yet to be discovered).

What makes this malware family sophisticated is the usage of multiple modules to perform various types of data exfiltration, along with a rootkit that helps to set persistence on the targeted machine.

FontOnLake has the ability to bypass security endpoints by utilizing trojanized applications (legitimate software that is altered), backdoors (that can be replaced by the rootkit) and a kernel level rootkit which can run undetected. This will ultimately allow the rootkit to run in the background unbeknownst to the system administrator and security software.

Why is this Important?

Linux rootkits are somewhat rare, especially ones running in kernel mode. In essence, a kernel mode rootkit allows for malicious operations to occur on the affected machine unbeknownst to the end user and ultimately operate without detection. This is because the rootkit is operating at the highest levels of privilege while operating at the lowest level of the operating system (ring 0) where all actions are considered trusted and secure. This type of activity will allow for the rootkit and FontOnLake malware family to run in the background undetected by endpoint security software.

Also, having kernel mode access will allow for ultimate persistence, because if FontOnLake applications and components are detected and wiped by the system administrator, endpoint solution; the rootkit will allow for the threat actor to simply replace and re-add cleaned up files, etc.

What are the Specific Components of FontOnLake?

FontOnLake consists of three components: trojanized applications, a backdoor and a rootkit.

Trojanized applications are modified versions of Linux utilities available in the standard Linux environment. The trojanized applications are used to load custom backdoors and/or rootkit modules, and can collect credentials as well. Harvested credentials are written in a virtual file created and managed by the rootkit component.

The backdoor component used by FontOnLake can send credentials harvested from sshd and bash command history to its Command and Control (C&C) server as well as being able to receive remote commands to perform additional malicious activities.

And finally, the rootkit component can hide processes, files and network connections, as well as passing the harvested credentials to the backdoor component.

What Regions Are Being Targeted?

Currently, the authors of the paper have observed activity in Southeast Asia. However, because it is a rootkit, there is a high possibility that the installation base is significantly higher.

What Mitigations are Available if Any?

it is suggested that system administrators run the chkrootkit command to see if any components on the operating system have been adulterated. For other tools it is suggested that system administrators find applicable rootkit detection tools designed for various Linux environments to test for rootkits as well.

What is the Status of Coverage?

FortiGuard Labs customers with the latest AV definitions are protected against this campaign by the following signatures:

Linux/Agent.JR!tr

Linux/FontOnLake.B!tr

Linux/FontOnLake.C!tr

Linux/FontOnLake.D!tr

Linux/Sshdkit.A!tr

Linux/Sshdkit.A!tr.bdr

Linux/Sshdkit.FO!tr.bdr

Linux/Sshdkit.IWZUAVT!tr.bdr

Linux/Sshdkit.JCYEJAS!tr.bdr

All known network IOC's are blocked by the WebFiltering client.

Appendix

FontOnLake: Previously unknown malware family targeting Linux (ESET)