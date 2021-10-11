It’s good that Linux system users stay tuned. A new family of malware that infects the system has been discovered, hiding in apparently legitimate binaries. The threat is being called FontOnLake, and researchers believe it is used in attacks aimed at obtaining sensitive user data.

Researchers found the virus after coming across several samples of FontOnLake in the VirtusTotal file scanning service, with the first occurrence having been posted in May 2020. The report also highlights that the agents creating this cyber threat must be quite experienced in digital security, as all these samples had their connections to command and control servers (the computers responsible for controlling and giving orders to the malware) turned off, apparently to make it difficult to track criminals.

ESET’s report states that FontOnLake has advanced programming that allows it to remain for long periods of time on infected systems, but also warns that so far, it has not been distributed in mass. In addition, the threat has multiple modules that, when executed, allow a wide variety of functions, such as communicating with the criminals responsible for the attack, stealing sensitive data, and keeping hidden in the system.

Want to catch up on the best tech news of the day? Go and subscribe to our new channel on youtube, Canaltech News. Every day a summary of the main news in the tech world for you! ESET researchers also claim that FontOnLake is distributed through Trojan horse applications, ie, files that perform malicious activities without the user noticing, but the digital security firm has not yet been able to identify how victims are led to download the initial vectors. Basic Linux utilities are executed from a series of bash commands executed in the operating system terminal. According to ESET’s report, FontOnLake turns some of these functions into Trojans so that when they are used, virus infection can occur. Linux utilities changed to distribute FontOnLake , according to the ESET report, are as follows: cat – used to display the contents of a file;

kill – used to kill processes running on Linux;

sftp – FTP (File Transfer Protocol, secure internet file transfer protocol;

sshd – the process used by ssh servers. FontOnLake operating scheme.(Image: Playback/ESET) The report further states that these functions have been changed in the source code, indicating that the criminals behind FontOnLake did a new build of these tools, replacing the originals on compromised machines. A total of three backdoors, ie undocumented access ports, written in C++ associated with FontOnLake, used for remote access by criminals to target systems were also found on infected computers. All these three backdoors have a common functionality: the transfer of sshd credentials, used for secure network access by Linux, and the bash command history for the command and control network. Same virus, different name

ESET claims that the presence of FontOnLake on infected systems is hidden from a malware rootkit, which is also responsible for installing updates to the malicious agent and maintaining backdoors used for remote access from infected systems.

Rootkit is software, most often malicious, created to hide or disguise the existence of certain processes or programs from normal detection methods and allow exclusive access to a computer and its information.

All samples of this rootkit found by ESET are based on an open-source software created eight years ago, Suterusu, which can hide processes, files, network connections and, most importantly, himself. FontOnLake primarily targets Linux versions that use Kernel 2.6.-696.el6.x86_32, available in 1024, and 3.32.0-229.el7.X64_86, available at 2020.

ESET ultimately believes that FontOnLake is the same malware that was previously identified by researchers at Tencent’s Security Response Center, who at the time classified it as an advanced persistent threat incident. In addition, a Linux malware that also used Suterusu as a base, called HCRootKit, found by Avast in August, works similar to FontOnLake, such as backdoors made in C++ and the replacement of basic operating system utilities for its infection .

If you are a user of a Linux distribution, the best way to prevent these attacks is to install antivirus solutions in the operating system, such as Bitdefender or Avast, and whenever you install new ones applications or tinkering with commands that involve connecting to external servers, performs a system security audit, checking files and looking for changes in documents.

Source: BleepingComputer