Researchers at Slovak cybersecurity firm ESET have shared some details on a previously undocumented malware, which they dubbed ‘FontOnLake,’ designed to target Linux systems.

The malware is able to provide remote access to its operators, collect credentials, and act as a proxy server using custom and well-designed modules, which are constantly under development.

To conduct malicious activity the malware uses modified legitimate binaries (cat, kill or sshd) that are adjusted to load additional components, as well as a rootkit to hide its activity.

“The sneaky nature of FontOnLake’s tools in combination with advanced design and low prevalence suggest that they are used in targeted attacks,” the researchers said.

FontOnLake first appeared on VirusTotal in May 2020, and other samples were uploaded throughout the year. Based on the command and control (C2) server location and the countries from which the samples were uploaded to VirusTotal, the researchers believe that malware targets include Southeast Asia.

“We believe that FontOnLake’s operators are particularly cautious since almost all samples seen use unique C&C servers with varying non-standard ports. The authors use mostly C/C++ and various third-party libraries such as Boost, Poco, or Protobuf. None of the C&C servers used in samples uploaded to VirusTotal were active at the time of writing – which indicates that they could have been disabled due to the upload,” ESET said.

The malware uses trojanized apps (which are standard Linux files) to load custom backdoor or rootkit modules and also to collect sensitive information. Currently, it is not clear, how these trojanized apps are delivered to victims’ systems.

The researchers also discovered three different backdoors written in C++, all using the same Asio library from Boost for asynchronous network and low-level I/O, and all capable of exfiltrating collected credentials and its bash command history to its C&C.

ESET discovered two rootkit versions, used only one at a time, in each of the three backdoors. Both rootkit versions are based the open-source project Suterusu, and both capable of hiding processes, files, network connections, and themselves, performing port forwarding, and exposing collected credentials to the backdoor.

The researchers noted that FontOnLake shares certain behavioral patterns with Operation Wendigo discovered in 2014.

Additional technical details on FontOnLake are available in ESET's white paper.