Security researchers at the antivirus and security company Eset claim to have discovered a new family of malware for Linux. It enables remote access, collects access data and sets up proxies on infected systems for further attacks.
In one technical white paper the company presents the findings. Accordingly, the malware is under permanent further development. The locations of the C&C servers found indicate a preferred area of operation in Southeast Asia. The C&C structure is also organized very decentrally, almost all finds use different servers, most of which are currently inactive.
The security researchers identified a virtual file that is set up by a rootkit as the central element. Trojanized standard Linux tools write access data there, among other things. For example, a modified auth_password function was discovered in sshd that logs access data. Three different backdoors ensure that the attackers retain access to the infected systems and the rootkit disguises their presence and activities.
Parts already known from May 2020
Signatures of parts of the malware appeared on VirusTotal as early as May 2020. Some of the malware samples analyzed were created specifically for CentOS and Debian. The rootkit belonging to FontOnLake is based on the publicly available kernel mode rootkit construction kit Suterusu and was developed by Avast, Lacework (there under the name HCRootkit) and other security companies.
Eset assumes that FontOnLake could be kept available for future attacks due to its elaborate architecture and the fact that it is evidently constantly being developed. Its actual concrete purpose is not known, just as little as the path of infection.