[MART] - Daily Diary #365 - Meet FontOnLake, a New Linux Threat

CTAS-MAT ctas-mat at appgate.com
Fri Oct 8 21:24:54 UTC 2021


Hello,
I hope everyone is doing well!

Below is the entry for today.

10/08/2021 - Diary entry #365

This week a new malware targeting Linux systems was found. Dubbed FontOnLake, it's a very modular threat, using a combination of Trojanized applications, Backdoors and Rootkits. The disclosed samples are written in C/C+. FontOnLake is a very recent threat, having been active since May 2020.

The malware starts its execution using trojanized standard Linux utilities that are commonly executed on system startup. The trojanized application can then start the other components and communicate with the Rootkit and Backdoors modules using a Virtual File created in the Linux environment.

For the C&C connection, this malware embeds a large list of domains. When executed, it takes a random domain, resolves, and communicates using HTTP requests on a non-standard port. The response is an AES encrypted blob, encoded using base64, that contains another IP address and port, which the malware will use to receive the commands.

Among this malware's features are the capability to exfiltrate data and files, download additional malware samples, act as a proxy and execute arbitrary commands and python scripts. These features make FontOnLake an effective tool for lateral movement inside an infected network, where each infected machine acts as a proxy bridge for others, allowing the malware to reach deep inside the network. Although there is no relation so far with ransomware incidents, this behavior is compatible with Trickbot and other botnets used to deploy ransomware inside infected networks, after the file exfiltration and lateral movements phase. The initial infection vector is still unknown, but the sophistication of this threat suggests it's mostly used for targeted attacks.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Duarte Domingues
Security Researcher
Appgate

E: felipe.duarte at appgate.com<mailto:felipe.duarte at appgate.com>
O: +55 19 98840 2509

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.immunityinc.com/pipermail/mart/attachments/20211008/0564acdf/attachment.htm>


More information about the MART mailing list