ESET researchers have discovered a previously unknown malware family that utilizes custom and well-designed modules, targeting operating systems running Linux. Modules used by this malware family, which ESET dubbed FontOnLake, are constantly under development and provide remote access to the operators, collect credentials, and serve as a proxy server. The location of the C&C server and the countries from which the samples were uploaded to VirusTotal might indicate that its targets include Southeast Asia.
“The sneaky nature of FontOnLake’s tools in combination with advanced design and low prevalence suggest that they are used in targeted attacks,” explains Vladislav Hrčka, ESET Malware Researcher who analyzed this threat. To collect data or conduct other malicious activity, this malware family uses modified legitimate binaries that are adjusted to load further components. In fact, to conceal its existence, FontOnLake’s presence is always accompanied by a rootkit. These binaries are commonly used on Linux systems and can additionally serve as a persistence mechanism.
ESET researchers believe that FontOnLake’s operators are overly cautious since almost all samples seen by ESET use different, unique C&C servers with varying non-standard ports. The authors use mostly C/C++ and various third-party libraries such as Boost, Poco and Protobuf.
The first known file of this malware family appeared on VirusTotal last May and other samples were uploaded throughout the year. None of the C&C servers used in samples uploaded to VirusTotal were active at the time of writing, indicating that they could have been disabled due to the upload.
All known components of FontOnLake are detected by ESET products as Linux/FontOnLake. “Companies or individuals who want to protect their Linux endpoints or servers from this threat should use a multilayered security product and an updated version of their Linux distribution; some of the samples we have analyzed were created specifically for CentOS and Debian,” advises Hrčka.