11 October 2021

New FontOnLake malware targets Linux systems


New FontOnLake malware targets Linux systems

Researchers at Slovak cybersecurity firm ESET have shared some details on a previously undocumented malware, which they dubbed ‘FontOnLake,’ designed to target Linux systems.

The malware is able to provide remote access to its operators, collect credentials, and act as a proxy server using custom and well-designed modules, which are constantly under development.

To conduct malicious activity the malware uses modified legitimate binaries (cat, kill or sshd) that are adjusted to load additional components, as well as a rootkit to hide its activity.

“The sneaky nature of FontOnLake’s tools in combination with advanced design and low prevalence suggest that they are used in targeted attacks,” the researchers said.

FontOnLake first appeared on VirusTotal in May 2020, and other samples were uploaded throughout the year. Based on the command and control (C2) server location and the countries from which the samples were uploaded to VirusTotal, the researchers believe that malware targets include Southeast Asia.

“We believe that FontOnLake’s operators are particularly cautious since almost all samples seen use unique C&C servers with varying non-standard ports. The authors use mostly C/C++ and various third-party libraries such as Boost, Poco, or Protobuf. None of the C&C servers used in samples uploaded to VirusTotal were active at the time of writing – which indicates that they could have been disabled due to the upload,” ESET said.

The malware uses trojanized apps (which are standard Linux files) to load custom backdoor or rootkit modules and also to collect sensitive information. Currently, it is not clear, how these trojanized apps are delivered to victims’ systems.

The researchers also discovered three different backdoors written in C++, all using the same Asio library from Boost for asynchronous network and low-level I/O, and all capable of exfiltrating collected credentials and its bash command history to its C&C.

ESET discovered two rootkit versions, used only one at a time, in each of the three backdoors. Both rootkit versions are based the open-source project Suterusu, and both capable of hiding processes, files, network connections, and themselves, performing port forwarding, and exposing collected credentials to the backdoor.

The researchers noted that FontOnLake shares certain behavioral patterns with Operation Wendigo discovered in 2014.

Additional technical details on FontOnLake are available in ESET's white paper.


Back to the list

Latest Posts

Suspected Chinese hackers reportedly hit 9 Israeli hospitals

Suspected Chinese hackers reportedly hit 9 Israeli hospitals

Attempted attacks come days after a massive ransomware attack on Hillel Yaffe Medical Center, attributed to the DeepBlueMagic group.
19 October 2021
State-sponsored hackers target orgs in South Asia with custom backdoor

State-sponsored hackers target orgs in South Asia with custom backdoor

Harvester has been observed using both custom malware and publicly available tools, such as Cobalt Strike Beacon and Metasploit, in their attacks.
19 October 2021
CISA, FBI and NSA share advice on how to defend against BlackMatter ransomware attacks

CISA, FBI and NSA share advice on how to defend against BlackMatter ransomware attacks

Since July 2021, BlackMatter has targeted multiple U.S. critical infrastructure entities, including two U.S. Food and Agriculture Sector organizations.
19 October 2021