FontOnLake is a previously unknown malware family that is targeting any systems running Linux.
The malware has a limited incidence in the wild and has a sophisticated architecture that allows it to remain persistent on an infected machine for long periods of time.
ESET researchers have discovered a previously unknown malware family that utilizes custom and well-designed modules, targeting systems running Linux. Modules used by this malware family, which we dubbed FontOnLake, are constantly under development and provide remote access to the operators, collect credentials, and serve as a proxy server.
In May 2020, the first FontOnLake file was discovered on VirusTotal, and further samples were posted throughout the year. The attackers are targeting Southeast Asia, based on the location of the command-and-control server and the countries from which samples were uploaded to VirusTotal.
We believe that FontOnLake’s operators are particularly cautious since almost all samples seen use unique [C2] servers with varying non-standard ports.
According to BleepingComputer, among the Linux utilities that the threat actor altered to deliver FontOnLake are:
cat – used to print the content of a file
kill – lists all running processes
sftp – secure FTP utility
sshd – the OpenSSH