Analysts uncovered a new malware strain that targets Linux systems, which, based on current evidence, they believe was used in a handful of targeted attacks.
Named FontOnLake, researchers said the malware’s operators have been particularly cautious when deploying this tool in attacks. The location of the C&C server and the countries targets include Southeast Asia.
At the time of writing, all the C&C servers were down, which is reminiscent of typical attacks that target a small number of targets, with operators taking down infrastructure once their goals are met.
A summary of the findings also available below:
- FontOnLake’s primary role is to provide remote access to hacked systems
- Built around a modular architecture
- Modules are custom-made and well-designed
- Modules received upgrades, meaning that its creators are actively maintaining the malware
- One of the modules is a rootkit component, which the malware uses to gain reboot persistence and full control over an infected system
- Other modules are trojanized versions of common Linux binaries, deployed on the hacked system to gather and exfil local credentials and other sensitive information
- Other modules are used as backdoor systems to facilitate access to the infected system in order to run commands, interact with local files, and control the malware itself
- To bypass firewalls and other security systems, FontOnLake can also turn infected hosts into proxy servers