FontOnLake Malware

Infosec researchers have uncovered a previously unknown family of malware threats. These new threatening creations are characterized by having custom-build modules that are under active development. The name given to this newly established malware family is FontOnLake and it appears to be targeting mostly Linux systems. The goal of the attackers is to establish backdoor access to the compromised machine and collect sensitive data, such as user credentials.

The threat actor places significant emphasis on remaining unnoticed. They used mostly C/C++ and several third-party libraries including Boost, Poco, and Protobuf when creating the FontOnLake threats. The operations involving this malware family also appears to be highly targeted and focused on the Southeast Asia region

FontOnLake Structure

FontOnLake uses multiple techniques to remain hidden and increase its chances of avoiding detection. It utilizes legitimate binaries that are being modified to load corrupted components. FontOnLake also is always accompanied by a rootkit that is deployed on the infected machine. As a whole, the observed components of this malware family can be split into three different categories - trojanized applications, backdoors and rootkits. 

Each is tasked with a distinct role. The weaponized applications consist of legitimate binaries that are reprogrammed to perform malicious activities, such as collect data or deliver additional modules. Naturally, the backdoors are used by the attackers as the main communication channels, while the rootkits embed themselves at the kernel level of the system and assist with disguising the actions of the threat, facilitate updates, or act as fallback backdoors.

Detected Component Variants

Multiple weaponized applications were discovered by the researchers. These were all standard Linux utilities that have been modified to collect data or load the custom backdoor or rootkit components. Because they are typically executed on the system start-up, they also can serve as persistence mechanisms. 

The different backdoors have so far been observed to be used in FontOnLake attacks. They employ libraries from Boost, Poco, Rrotobuf, and some features from STL including smart pointers. The backdoors display certain overlaps in functionality, such as being able to exfiltrate collected data, manipulate the file system, act as a proxy and execute arbitrary commands.

Two separate FontOnLake rootkits have been identified so far. Both are based on the suterusu open-source project but include several custom-made techniques. The two versions are distinct from one another sufficiently, but they also overlap in certain functionalities. Both are capable of hiding processes and files, masking network connections, port forwarding, receiving special data packets from the attackers, and delivering the collected credentials to the backdoor for exfiltration.