Threat Signal Report

FontOnLake: New Linux Malware Used in Targeted Attacks

Description

FortiGuard Labs is aware of a new, Linux malware family named "FontOnLake." FontOnLake is a very sophisticated malware family that contains a Linux rootkit which runs at the kernel level to prolong its shelf life and to ultimately evade detection. Discovered by ESET, the malware was first seen on VirusTotal in May 2020 and appears to have targeted organizations in Southeast Asia. Due to the evasive nature of rootkits, it is likely that the campaign has operated longer and is likely to have operated in other regions (and have yet to be discovered).


What makes this malware family sophisticated is the usage of multiple modules to perform various types of data exfiltration, along with a rootkit that helps to set persistence on the targeted machine.


FontOnLake has the ability to bypass security endpoints by utilizing trojanized applications (legitimate software that is altered), backdoors (that can be replaced by the rootkit) and a kernel level rootkit which can run undetected. This will ultimately allow the rootkit to run in the background unbeknownst to the system administrator and security software.


Why is this Important?

Linux rootkits are somewhat rare, especially ones running in kernel mode. In essence, a kernel mode rootkit allows for malicious operations to occur on the affected machine unbeknownst to the end user and ultimately operate without detection. This is because the rootkit is operating at the highest levels of privilege while operating at the lowest level of the operating system (ring 0) where all actions are considered trusted and secure. This type of activity will allow for the rootkit and FontOnLake malware family to run in the background undetected by endpoint security software.


Also, having kernel mode access will allow for ultimate persistence, because if FontOnLake applications and components are detected and wiped by the system administrator, endpoint solution; the rootkit will allow for the threat actor to simply replace and re-add cleaned up files, etc.


What are the Specific Components of FontOnLake?

FontOnLake consists of three components: trojanized applications, a backdoor and a rootkit.


Trojanized applications are modified versions of Linux utilities available in the standard Linux environment. The trojanized applications are used to load custom backdoors and/or rootkit modules, and can collect credentials as well. Harvested credentials are written in a virtual file created and managed by the rootkit component.


The backdoor component used by FontOnLake can send credentials harvested from sshd and bash command history to its Command and Control (C&C) server as well as being able to receive remote commands to perform additional malicious activities.


And finally, the rootkit component can hide processes, files and network connections, as well as passing the harvested credentials to the backdoor component.


What Regions Are Being Targeted?

Currently, the authors of the paper have observed activity in Southeast Asia. However, because it is a rootkit, there is a high possibility that the installation base is significantly higher.


What Mitigations are Available if Any?

it is suggested that system administrators run the chkrootkit command to see if any components on the operating system have been adulterated. For other tools it is suggested that system administrators find applicable rootkit detection tools designed for various Linux environments to test for rootkits as well.


What is the Status of Coverage?

FortiGuard Labs customers with the latest AV definitions are protected against this campaign by the following signatures:


Linux/Agent.JR!tr

Linux/FontOnLake.B!tr

Linux/FontOnLake.C!tr

Linux/FontOnLake.D!tr

Linux/Sshdkit.A!tr

Linux/Sshdkit.A!tr.bdr

Linux/Sshdkit.FO!tr.bdr

Linux/Sshdkit.IWZUAVT!tr.bdr

Linux/Sshdkit.JCYEJAS!tr.bdr


All known network IOC's are blocked by the WebFiltering client.


Definitions

Traffic Light Protocol

Color When Should it Be used? How may it be shared?

TLP: RED

Not for disclosure, restricted to participants only.
Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.

TLP: AMBER

Limited disclosure, restricted to participants’ organizations.
Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.

TLP: GREEN

Limited disclosure, restricted to the community.
Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.

TLP: WHITE

Disclosure is not limited.
Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.