New FontOnLake Linux malware used in targeted attacks

Analysts from Slovak security firm ESET said they uncovered a new malware strain that targets Linux systems, which, based on current evidence, they believe was used in a handful of targeted attacks.

Named FontOnLake, researchers said the malware’s operators have been “particularly cautious” when deploying this tool in attacks.

“The first known file of this malware family appeared on VirusTotal last May and other samples were uploaded throughout the year,” said ESET malware analyst Vladislav Hrčka.

“The location of the C&C server and the countries from which the samples were uploaded to VirusTotal might indicate that its targets include Southeast Asia,” he added.

At the time of writing, all the command-and-control (C&C) servers were down, which is reminiscent of typical attacks that target a small number of targets, with operators taking down infrastructure once their goals are met.

But a more in-depth technical analysis of the FontOnLake malware is available in a PDF report released today by ESET, with a summary of the findings also available below:

  • FontOnLake’s primary role is to provide remote access to hacked systems
  • Built around a modular architecture
  • Modules are custom-made and well-designed
  • Modules received upgrades, meaning that its creators are actively maintaining the malware
  • One of the modules is a rootkit component, which the malware uses to gain reboot persistence and full control over an infected system
  • Other modules are trojanized versions of common Linux binaries, deployed on the hacked system to gather and exfil local credentials and other sensitive information
  • Other modules are used as backdoor systems to facilitate access to the infected system in order to run commands, interact with local files, and control the malware itself
  • To bypass firewalls and other security systems, FontOnLake can also turn infected hosts into proxy servers

Additional analysis about this new stealthy malware is also available from TencentAvast, and Lacework, all of which have also encountered this new threat over the summer, under names like HCRootkit and Sutersu.

Catalin Cimpanu

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.

Recent Posts

Facebook testing end-to-end encryption as a default on Messenger

Facebook has long been criticized for not using end-to-end encryption as a default option for…

17 hours ago

CISA orders civilian agencies to patch Zimbra bug after mass exploitation

The Cybersecurity and Infrastructure Security Agency added two vulnerabilities found in products from digital collaboration…

19 hours ago

AT&T denies connection to database of 23 million SSNs, says it may be tied to credit agency breach

Telecommunications giant AT&T denied any connection to a database of stolen information that included the…

20 hours ago

U.S. shares photo of alleged Conti suspect, offers $10 million for intel

The U.S. State Department on Thursday said that it was offering a $10 million reward…

20 hours ago

Suspected Tornado Cash developer arrested in Netherlands

Financial crime authorities in the Netherlands announced Friday that they had arrested a 29-year-old man…

1 day ago

NHS working with U.K. cyber authorities to assess ransomware attack on IT vendor

The United Kingdom’s National Health Service said it is working with the country’s National Cyber…

2 days ago