Security researchers have uncovered a new, previously unseen malware family targeting Linux systems. Dubbed FontOnLake by ESET researchers, and HCRootkit by Avast and Lacework, the malware has rootkit capabilities, advanced design and low prevalence, suggesting that it is primarily meant for targeted attacks.
HCRootkit / FontOnLake Rootkit Targeting Linux Systems
According to researchers, the FontOnLake rootkit is continuously being upgraded with new features, meaning that it is in active development. VirusTotal samples of the malware reveal that its first use in the wild dates back to May 2020. It appears that the malware targets entities in Southeast Asia, but other regions may soon be added to its target list.
The malware grants remote access to its operators, and could be used for credential harvesting and as a proxy server.
Lacework Labs recently examined the new malware which was first shared by Avast. The researchers’ analysis is based on Avast’s findings as well as their own research into this new malware family. According to Lacework’s analysis, “the kernel module as pointed out by Avast is the open-source rootkit “Sutersu”. This rootkit has wide kernel version support, as well as supporting multiple architectures including x86, x86_64, and ARM. Sutersu supports file, port, and process hiding, as one would expect from a rootkit. Sutersu also supports functionality beyond process and file hiding in the form of additional modules that are specified during compile time.”
The malware also contains additional modules, including a keylogger, a module that downloads and executes a binary, and an ICMP module to monitor “for specific magic bytes before triggering an event.”
These modules can be used together to trigger the downloading and execution of a binary when a specific ICMP packet is received, but they also can be used independently.
More technical details are available in Lacework’s detailed technical write-up.
In May 2021, Qihoo 360 NETLAB security researchers discovered another unseen rootkit with backdoor capabilities for Linux, and named its dropper Facefish. The backdoor could upload device information, steal user credentials, bounce Shell, and execute arbitrary commands.