Linux malware spreading through infected binaries: FontOnLake has advanced techniques to evade detection and ensure persistent presence

FontonLake Malware Virus Linux Distro Binaries Distribution
Malware for Linux is distributed through binaries. Pic credit: Marlon Bunday/Flickr

Relatively new malware for Linux is quietly making its way to several Linux Distros through legitimate but infected binaries. The FontOnLake virus has surprisingly sophisticated methods to evade detection and ensure persistence presence on infected computers.

Malware for Linux Distros isn’t common. But this situation is gradually changing, partly because Microsoft has embraced Linux. The FontOnLake virus is a new breed of malware that successfully keeps a low profile and footprint. However, once successfully infected, it is quite difficult to rid the computers of the same.

New Linux malware resides inside legitimate utilities, but the distribution network still remains undiscovered:

Researchers at ESET have been tracking the FontOnLake malware for about a year and a half now. Through a detailed report, the cybersecurity company claims the first sample with the virus’ signature surfaced in May 2020.

Researchers believe FontOnLake may be targeting attacks, executed by trained and sophisticated operators. This is because every attack instance used unique Command and Control (C2) servers. The attacks also relied on multiple non-standard ports.

The FontOnLake malware is interesting primarily because its operators are distributing the same by lacing legitimate binaries. Simply put, the Linux malware is spreading through standard, and presumably popular, applications for Linux Distros.

It is rather difficult to load Linux applications with malware. Hence, it is more than likely that the operators of this malware took pains to compile popular utilities for Linux OS, and then distributed them.

What’s concerning is the effectiveness of the malware at infecting a victim’s Linux PC, and then staying put. Explaining the same, Vladislav Hrčka, malware analyst and reverse engineer at ESET, said:

“All the trojanized files are standard Linux utilities and serve as a persistence method because they are commonly executed on system start-up.”

What does the FontOnLake malware do after infecting a Linux PC?

The FontOnLake malware comes prepackaged inside the modified and recompiled Linux binaries. Incidentally, these binaries too have a malicious purpose. Reports indicate they load additional payloads, collect information, or execute other malicious actions.

So far, researchers have discovered the malware attempts to open three backdoors to Linux PCs and then tries hard to keep them open. These backdoors provide operators remote access to the infected system.

The FontOnLake malware relies on a sophisticated rootkit, called Suterusu, to hide its presence. This rootkit also pulls updates with newer payloads. Moreover, it ensures there are backup backdoors. Suterusu can hide processes, files, the primary malware, and network connections.

It appears that the malware could be an advanced version of HCRootkit, which AVAST discovered. Even this malware relied on Suterusu to hide and pulled in additional payloads. Additional investigation by Lacework Labs, also indicates the two malware strains could be the same.

Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x