In a blog post published on Thursday, Vladislav Hrčka wrote that the malware family, which ESET had called FontOnLake used custom and well-designed modules that could provider remote access, steal credentials and operate as a proxy server. Avast published details of the same malware on 25 August, while Lacework Labs published its research on 23 September. Both these firms called it HCRootkit.

We have found a new #Linux #malware leveraging an open source kernel-mode rootkit #Suterusu and we dubbed it #HCRootkit. 1/7

— Avast Threat Labs (@AvastThreatLabs) August 25, 2021

He said one distinguishing characteristic of FontOnLake was that it was always accompanied by a rootkit that helped to conceal its presence. Additionally, the malware also used backdoors.

In order to fulfill these functions, FontOnLake used trojanised binaries for software like ssh [secure shell, used for remote access], cat [a standard Unix utility that reads files sequentially, writing them to standard output] and kill [a command-line utility to terminate processes].

Hrčka said the first known file from this family appeared on the Google-owned virus database VirusTotal in May 2020 and more followed.

"The location of the C&C [command and control] server and the countries from which the samples were uploaded to VirusTotal might indicate that its targets include south-east Asia," he wrote.

"We believe that FontOnLake’s operators are particularly cautious, since almost all samples seen use unique C&C servers with varying non-standard ports.

"The authors use mostly C/C++ and various third-party libraries such as Boost, Poco, or Protobuf.

"None of the C&C servers used in samples uploaded to VirusTotal were active at the time of writing – which indicates that they could have been disabled due to the upload."

ESET had found three different backdoors "written in C++ and all use, albeit in slightly different ways, the same Asio library from Boost for asynchronous network and low-level I/O. Poco, Protobuf, and features from STL such as smart pointers are used as well".

Each of the backdoors had a common feature: each exfiltrated stolen credentials and its bash command history to its C&C.

Hrčka listed the following as comprising the functionality of the backdoors:

• "Exfiltrating the collected data;
• "Creating a bridge between a custom ssh server running locally and its C&C;
• "Manipulating files (for instance, upload/download, create/delete, directory listing, modify attributes, and so on);
• "Serving as a proxy; and
• "Executing arbitrary shell commands and Python scripts."

Two versions of the rootkit were found by ESET, and though both were based on the suterusu open-source project, they also had a number of custom techniques.

Tencent Security Response Centre also published research on the same malware; this is in Chinese.

A detailed white paper about FontOnLake has been published by ESET and can be downloaded here.