Analysts uncovered a new malware strain that targets Linux systems, which, based on current evidence, they believe was used in a handful of targeted attacks.

Named FontOnLake, researchers said the malware’s operators have been particularly cautious when deploying this tool in attacks. The location of the C&C server and the countries targets include Southeast Asia.

At the time of writing, all the C&C servers were down, which is reminiscent of typical attacks that target a small number of targets, with operators taking down infrastructure once their goals are met.

A summary of the findings also available below:

  • FontOnLake’s primary role is to provide remote access to hacked systems
  • Built around a modular architecture
  • Modules are custom-made and well-designed
  • Modules received upgrades, meaning that its creators are actively maintaining the malware
  • One of the modules is a rootkit component, which the malware uses to gain reboot persistence and full control over an infected system
  • Other modules are trojanized versions of common Linux binaries, deployed on the hacked system to gather and exfil local credentials and other sensitive information
  • Other modules are used as backdoor systems to facilitate access to the infected system in order to run commands, interact with local files, and control the malware itself
  • To bypass firewalls and other security systems, FontOnLake can also turn infected hosts into proxy servers