The malware has a limited incidence in the wild and has a sophisticated architecture that allows it to remain persistent on an infected machine for long periods of time.
ESET researchers have discovered a previously unknown malware family that utilizes custom and well-designed modules, targeting systems running Linux. Modules used by this malware family, which we dubbed FontOnLake, are constantly under development and provide remote access to the operators, collect credentials, and serve as a proxy server.
We believe that FontOnLake’s operators are particularly cautious since almost all samples seen use unique [C2] servers with varying non-standard ports.
According to BleepingComputer, among the Linux utilities that the threat actor altered to deliver FontOnLake are:
cat – used to print the content of a file
kill – lists all running processes
sftp – secure FTP utility
sshd – the OpenSSH