A previously unknown malware family dubbed FontOnLake is targeting systems running Linux, ESET researchers found.
FontOnLake uses “custom and well-designed modules,” malware analyst Vladislav Hrčka wrote in a blog post on the finding. Modules used by the malware family “are constantly under development and provide remote access to the operators, collect credentials, and serve as a proxy server,” he wrote.
The first known FontOnLake file appeared on VirusTotal in May 2020 and other samples were uploaded throughout the year. Both the location of its command-and-control server and the countries from which samples were uploaded to VirusTotal may indicate that the attackers’ targets include Southeast Asia.
“We believe that FontOnLake’s operators are particularly cautious since almost all samples seen use unique [C2] servers with varying non-standard ports,” Hrčka wrote.
The malware family’s known components include Trojanized applications, backdoors, and rootkits, which interact with each other Researchers found multiple Trojanized applications, mostly used to load custom backdoor or rootkit modules. The three backdoors discovered are written in C++; the functionality they have in common is each exfiltrates collected credentials and its bash command history to the C2 server. Researchers found two “marginally different” versions of the rootkit, used one at a time, in each of the three backdoors.
Read ESET’s full blog post for more details.