New Linux Malware ‘FontOnLake’ Discovered: Likely Used in Targeted Attacks


A new malware targeting Linux systems has been discovered and evidence suggests that it may have been used in several targeted attacks, according to analysts at Slovakian security firm ESET

The malware is named “FontOnLake”, and the attackers claim to have been “particularly careful” in using this tool in their attacks.

Vladislav Hrčka, a malware analyst at ESET,

FontOnLake is a malware family that uses well-designed custom modules and is under constant development.

It targets systems running Linux, provides attackers with remote access to those systems, collects credentials, and acts as a proxy server.

The sneaky nature and advanced design of these tools suggest that they can be used in targeted attacks.

The location of the C&C server and the country where the sample was uploaded to VirusTotal indicate that the operator of this tool is targeting at least Southeast Asia.

The fact that it uses a server suggests that its operators are overly cautious.

The author uses mainly C/C++ and various third party libraries such as Boost, Poco, and Protob.

The author uses various third party libraries such as Boost, Poco, and Protobuf.

None of the C&C servers used in the samples uploaded to VirusTotal were up and running at the time of writing.

It is possible that they were disabled by the uploads.

We have done multiple scans of the entire Internet mimicking the initial communication of the network protocol.

To identify the C&C server and the victim, we performed multiple Internet-wide scans that mimic the initial communication of the network protocol, targeting the observed non-standard ports. The results showed that the C&C server only maintained connections with custom heartbeat commands
commands, and did not provide updates in response to explicit requests.

FontOnLake was first posted on VirusTotal in May 2020, and other samples were uploaded throughout the year.

After our discovery while completing this whitepaper, vendors such as Tencent Security Response Center, Avast, and Lacework Labs published their research on what appears to be the same malware.

All command and control (C&C) servers are down, and it appears to be a typical attack where a small number of targets are targeted and the operator takes down the infrastructure once the objective is achieved.

However, a more detailed technical analysis of the FontOnLake malware can be found in a PDF report published by ESET, a summary of the results of which can also be found below.

  • FontOnLake’s primary role is to provide remote access to hacked systems
  • It is built around a modular architecture
  • Modules are custom-made and well-designed malware
  • Modules are upgraded, meaning that the author is actively maintaining the malware
  • One of the modules is the Rootkit component, which the malware uses to gain reboot persistence and take full control of the infected system.
  • Other modules are Trojanized versions of common Linux binaries that are placed on the hacked system to collect and exfiltrate local credentials and other sensitive information
  • Other modules facilitate access to the infected
  • Other modules are used as backdoor systems to facilitate access to the infected system, execute commands, manipulate local files, and control the malware itself
  • In order to bypass firewalls and other security systems, FontOnLake can turn the infected host into a proxy server. It can also turn an infected host into a proxy server


Copied title and URL