ESET Research has discovered FontOnLake, a targeted malware attacking Linux in Southeast Asia. The researchers identified a previously undiscovered malware family that targets Linux-based operating systems using unique and well-designed components. Modules utilised by this malware family, called FontOnLake by ESET, are continually being developed and enable remote access to operators, credential collection, and proxy server functionality. The location of the C&C server and the countries from which the samples were submitted to VirusTotal may imply that Southeast Asia is among its targets.
“The sneaky nature of FontOnLake’s tools in combination with advanced design and low prevalence suggest that they are used in targeted attacks,” explains Vladislav Hrčka, ESET Malware Researcher who analyzed this threat. This malware family employs modified legal programmes that have been changed to load additional components in order to collect data or conduct other harmful behaviour. FontOnLake’s presence is always accompanied with a rootkit in order to disguise its presence. These binaries are widely used on Linux systems and may also function as a persistence mechanism.
ESET analysts believe FontOnLake’s operators are being too careful because nearly all samples examined by ESET use separate, unique C&C servers with varied non-standard ports. The writers mostly employ C/C++ and third-party libraries such as Boost, Poco, and Protobuf.
The first known file from this malware family was discovered on VirusTotal in May of last year, and further samples were submitted throughout the year. At the time of writing, none of the C&C servers used in samples submitted to VirusTotal were operational, indicating that they may have been deactivated as a result of the upload.
All known components of FontOnLake are detected by ESET products as Linux/FontOnLake. “Companies or individuals who want to protect their Linux endpoints or servers from this threat should use a multilayered security product and an updated version of their Linux distribution; some of the samples we have analyzed were created specifically for CentOS and Debian,” advises Hrčka.
Following the discovery by ESET Research while finishing the FontOnLake white paper, vendors such as Tencent Security Response Center, Avast, and Lacework Labs released their research on what seems to be the same virus. ESET will share its results on FontOnLake at the AVAR 2021 Virtual conference in early December.
