New FontOnLake Linux malware used in targeted attacks
Image: Gabriel Heinzer
Catalin Cimpanu October 8, 2021

New FontOnLake Linux malware used in targeted attacks

Catalin Cimpanu

October 8, 2021

New FontOnLake Linux malware used in targeted attacks

Analysts from Slovak security firm ESET said they uncovered a new malware strain that targets Linux systems, which, based on current evidence, they believe was used in a handful of targeted attacks.

Named FontOnLake, researchers said the malware’s operators have been “particularly cautious” when deploying this tool in attacks.

“The first known file of this malware family appeared on VirusTotal last May and other samples were uploaded throughout the year,” said ESET malware analyst Vladislav Hrčka.

“The location of the C&C server and the countries from which the samples were uploaded to VirusTotal might indicate that its targets include Southeast Asia,” he added.

At the time of writing, all the command-and-control (C&C) servers were down, which is reminiscent of typical attacks that target a small number of targets, with operators taking down infrastructure once their goals are met.

But a more in-depth technical analysis of the FontOnLake malware is available in a PDF report released today by ESET, with a summary of the findings also available below:

  • FontOnLake’s primary role is to provide remote access to hacked systems
  • Built around a modular architecture
  • Modules are custom-made and well-designed
  • Modules received upgrades, meaning that its creators are actively maintaining the malware
  • One of the modules is a rootkit component, which the malware uses to gain reboot persistence and full control over an infected system
  • Other modules are trojanized versions of common Linux binaries, deployed on the hacked system to gather and exfil local credentials and other sensitive information
  • Other modules are used as backdoor systems to facilitate access to the infected system in order to run commands, interact with local files, and control the malware itself
  • To bypass firewalls and other security systems, FontOnLake can also turn infected hosts into proxy servers

Additional analysis about this new stealthy malware is also available from TencentAvast, and Lacework, all of which have also encountered this new threat over the summer, under names like HCRootkit and Sutersu.

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.