FontOnLake: Previously unknown malware family targeting Linux – We Live Security

ESET researchers discover a malware family with tools that show signs they’re used in targeted attacks

ESET researchers have discovered a previously unknown malware family that utilizes custom and well-designed modules, targeting systems running Linux. Modules used by this malware family, which we dubbed FontOnLake, are constantly under development and provide remote access to the operators, collect credentials, and serve as a proxy server. In this blogpost, we summarize the findings published in full in our white paper.

To collect data (for instance ssh credentials) or conduct other malicious activity, this malware family uses modified legitimate binaries that are adjusted to load further components. In fact, to conceal its existence, FontOnLake’s presence is always accompanied by a rootkit. These binaries such as cat, kill or sshd are commonly used on Linux systems and can additionally serve as a persistence mechanism.

The sneaky nature of FontOnLake’s tools in combination with advanced design and low prevalence suggest that they are used in targeted attacks.

The first known file of this malware family appeared on VirusTotal last May and other samples were uploaded throughout the year. The location of the C&C server and the countries from which the samples were uploaded to VirusTotal might indicate that its targets include Southeast Asia.

We believe that FontOnLake’s operators are particularly cautious since almost all samples seen use unique C&C servers with varying non-standard ports. The authors use mostly C/C++ and various third-party libraries such as Boost, Poco, or Protobuf. None of the C&C servers used in samples uploaded to VirusTotal were active at the time of writing – which indicates that they could have been disabled due to the upload.

Known components of FontOnLake

FontOnLake’s currently known components can be divided into three following groups that interact with each other:

  • Trojanized applications – modified legitimate binaries that are adjusted to load further components, collect data, or conduct other malicious activities.
  • Backdoors – user mode components serving as the main point of communication for its operators.
  • Rootkits – kernel mode components that mostly hide and disguise their presence, assist with updates, or provide fallback backdoors.

Trojanized applications

We discovered multiple trojanized applications; they are used mostly to load custom backdoor or rootkit modules. Aside from that, they can also collect sensitive data. Patches of the applications are most likely applied on the source code level, which indicates that the applications must have been compiled and replaced the original ones.

All the trojanized files are standard Linux utilities and each serves as a persistence method because they are commonly executed on system start-up. The initial way in which these trojanized applications get to their victims is not known.

Communication of a trojanized application with its rootkit runs through a virtual file, which is created and managed by the rootkit. As illustrated in Figure 1, data can be read/written from/to the virtual file and exported with its backdoor component upon the operator’s request.

Figure 1. Interaction of FontOnLake’s components ProxyEgg FontOnLake: Previously unknown malware family targeting Linux - We Live Security

Figure 1. Interaction of FontOnLake’s components


The three different backdoors we discovered are written in C++ and all use, albeit in slightly different ways, the same Asio library from Boost for asynchronous network and low-level I/O. Poco, Protobuf, and features from STL such as smart pointers are used as well. What is rare for malware is the fact that these backdoors also feature a number of software design patterns.

The functionality that they all have in common is that each exfiltrates collected credentials and its bash command history to its C&C.

Considering some of the overlapping functionality, most likely these different backdoors are not used together on one compromised system.

All the backdoors additionally use custom heartbeat commands sent and received periodically to keep the connection alive.

The overall functionality of these backdoors consists of the following methods:

  • Exfiltrating the collected data
  • Creating a bridge between a custom ssh server running locally and its C&C
  • Manipulating files (for instance, upload/download, create/delete, directory listing, modify attributes, and so on)
  • Serving as a proxy
  • Executing arbitrary shell commands and python scripts


We discovered two marginally different versions of the rootkit, used only one at a time, in each of the three backdoors. There are significant differences between those two rootkits, however, certain aspects of them overlap. Even though the rootkit versions are based on the suterusu open-source project, they contain several of their exclusive, custom techniques.

Combined functionality of the two versions of the rootkit we discovered include:

  • Process hiding
  • File hiding
  • Hiding itself
  • Hiding network connections
  • Exposing the collected credentials to its backdoor
  • Performing port forwarding
  • Magic packets reception (magic packets are specially crafted packets that can instruct the rootkit to download and execute another backdoor)

Following our discovery while finalizing our white paper on this topic, vendors such as Tencent Security Response Center, Avast and Lacework Labs published their research on what appears to be the same malware.

All known components of FontOnLake are detected by ESET products as Linux/FontOnLake. Companies or individuals who want to protect their Linux endpoints or servers from this threat should use a multilayered security product and an updated version of their Linux distribution; some of the samples we have analyzed were created specifically for CentOS and Debian.

In the past we described an operation that shared certain behavioral patterns with FontOnLake; however, its scale and impact were much bigger. We dubbed it Operation Windigo and you can find more information about it in this white paper and this follow-up blogpost.

Additional technical details on FontOnLake can be found in our comprehensive white paper.



SHA-1 Description Detection name
1F52DB8E3FC3040C017928F5FFD99D9FA4757BF8 Trojanized cat Linux/FontOnLake
771340752985DD8E84CF3843C9843EF7A76A39E7 Trojanized kill
27E868C0505144F0708170DF701D7C1AE8E1FAEA Trojanized sftp
45E94ABEDAD8C0044A43FF6D72A5C44C6ABD9378 Trojanized sshd
1829B0E34807765F2B254EA5514D7BB587AECA3F Custom sshd
8D6ACA824D1A717AE908669E356E2D4BB6F857B0 Custom sshd
38B09D690FAFE81E964CBD45EC7CF20DCB296B4D Backdoor 1 variant 1
56556A53741111C04853A5E84744807EEADFF63A Backdoor 1 variant 2
FE26CB98AA1416A8B1F6CED4AC1B5400517257B2 Backdoor 1 variant 3
D4E0E38EC69CBB71475D8A22EDB428C3E955A5EA Backdoor 1 variant 4
204046B3279B487863738DDB17CBB6718AF2A83A Backdoor 2 variant 1
9C803D1E39F335F213F367A84D3DF6150E5FE172 Backdoor 2 variant 2
BFCC4E6628B63C92BC46219937EA7582EA6FBB41 Backdoor 2 variant 3
515CFB5CB760D3A1DA31E9F906EA7F84F17C5136 Backdoor 3 variant 4
A9ED0837E3AF698906B229CA28B988010BCD5DC1 Backdoor 3 variant 5
56CB85675FE7A7896F0AA5365FF391AC376D9953 Rootkit 1 version 1
72C9C5CE50A38D0A2B9CEF6ADEAB1008BFF12496 Rootkit 1 version 2
B439A503D68AD7164E0F32B03243A593312040F8 Rootkit 1 version 3
E7BF0A35C2CD79A658615E312D35BBCFF9782672 Rootkit 1 version 4
56580E7BA6BF26D878C538985A6DC62CA094CD04 Rootkit 1version 5
49D4E5FCD3A3018A88F329AE47EF4C87C6A2D27A Rootkit 1 version 5
74D44C2949DA7D5164ADEC78801733680DA8C110 Rootkit 2 version 1
74D755E8566340A752B1DB603EF468253ADAB6BD Rootkit 2 version 2
E20F87497023E3454B5B1A22FE6C5A5501EAE2CB Rootkit 2 version 3


From samples:


From internet-wide scan:




Virtual filenames


MITRE ATT&CK techniques

This table was built using version 9 of the ATT&CK framework.

Tactic ID Name Description
Initial Access T1078 Valid Accounts FontOnLake can collect at least ssh credentials.
Execution T1059.004 Command and Scripting Interpreter: Unix Shell FontOnLake enables execution of Unix Shell commands.
T1059.006 Command and Scripting Interpreter: Python FontOnLake enables execution of arbitrary Python scripts.
T1106 Native API FontOnLake uses fork() to create additional processes such as sshd.
T1204 User Execution FontOnLake trojanizes standard tools such as cat to execute itself.
Persistence T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions One of FontOnLake’s rootkits can be executed with a start-up script.
T1037 Boot or Logon Initialization Scripts FontOnLake creates a system start-up script ati_remote3.modules.
T1554 Compromise Client Software Binary FontOnLake modifies several standard binaries to achieve persistence.
Defense Evasion T1140 Deobfuscate/Decode Files or Information Some backdoors of FontOnLake can decrypt AES-encrypted and serialized communication and base64 decode encrypted C&C address.
T1222.002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification FontOnLake’s backdoor can change the permissions of the file it wants to execute.
T1564 Hide Artifacts FontOnLake hides its connections and processes with rootkits.
T1564.001 Hide Artifacts: Hidden Files and Directories FontOnLake hides its files with rootkits.
T1027 Obfuscated Files or Information FontOnLake packs its executables with UPX.
T1014 Rootkit FontOnLake uses rootkits to hide the presence of its processes, files, network connections and drivers.
Credential Access T1556 Modify Authentication Process FontOnLake modifies sshd to collect credentials.
Discovery T1083 File and Directory Discovery One of FontOnLake’s backdoors can list files and directories.
T1082 System Information Discovery FontOnLake can collect system information from the victim’s machine.
Lateral Movement T1021.004 Remote Services: SSH FontOnLake collects ssh credentials and most probably intends to use them for lateral movement.
Command and Control T1090 Proxy FontOnLake can serve as a proxy.
T1071.001 Application Layer Protocol: Web Protocols FontOnLake acquires additional C&C servers over HTTP.
T1071.002 Application Layer Protocol: File Transfer Protocols FontOnLake can download additional Python files to be executed over FTP.
T1132.001 Data Encoding: Standard Encoding FontOnLake uses base64 to encode HTTPS responses.
T1568 Dynamic Resolution FontOnLake can use HTTP to download resources that contain an IP address and port number pair to connect to and acquire its C&C. It can use dynamic DNS resolution to construct and resolve to a randomly chosen domain.
T1573.001 Encrypted Channel: Symmetric Cryptography FontOnLake uses AES to encrypt communication with its C&C.
T1008 Fallback Channels FontOnLake can use dynamic DNS resolution to construct and resolve to a randomly chosen domain. One of its rootkits also listens for specially crafted packets, which instruct it to download and execute additional files. It also both connects to a C&C and accepts connections on all interfaces.
T1095 Non-Application Layer Protocol FontOnLake uses TCP for communication with its C&C.
T1571 Non-Standard Port Almost every sample of FontOnLake uses a unique non-standard port.
Exfiltration T1041 Exfiltration Over C2 Channel FontOnLake uses its C&C to exfiltrate collected data.

bandook bandidos eti cta ProxyEgg FontOnLake: Previously unknown malware family targeting Linux - We Live Security

Source of this news:

Related posts:

Studio Network Solutions Improves EVO Suite With Apple-Certified ProRes Transcoding, More Upgrades -...
Story Highlights The Slingshot automations engine and ShareBrowser media asset management system—both included with EVO media servers — have been updated with incredible new features for creative tea...
How to Conceal Your Digital Fingerprint with Smartproxy’s X Browser - Beebom
Living in the digital age is great; you get access to an almost infinite pool of information on pretty much anything you’re looking for. However, there are two sides to every coin, and the digital ...
Dispersion trades are back after losing big in 2020 -
An equity derivatives trade that lost hundreds of millions of dollars during the Covid-19 selloff last March is suddenly popular again. The prospect of rising inflation leading to further sector rota...
The Vatican's Copyright Infringement Suit; Art Infringement - The National Law Review
Friday, June 18, 2021 Street artist Alessia Babrow has sued the Vatican, alleging that the Philatelic and Numismatic Office of the Vatican City State copied her artwork without her permission ...
Con artists using HP cops, imp persons fake WhatsApp IDs, alert issued - All the Statesman
Himachal Pradesh Police on Sunday made aware the netizens of hacker creating fake WhatsApp IDs of important persons since cops of the state to successfully dupe people and aware them not to inte...
What Is Web Scraping? - TechBullion
Everyone has heard of web scraping at some point or another, the process of collecting information from the internet. Scraping could be anything, from copying and pasting a piece of text t...
30 thoughts on “How To Get Discord to Work at Your School or College” - Alphr
When you are at a school, college, or governmental institution, chances are that your access to certain websites is limited. This is especially true for social platforms or content sharing websites t...
Want To Access Blocked Sites At Work? | Opinion - CL Charlotte
If you're like most of us, you enjoy surfing the web at work. Sure, company time and all, but really, who works constantly for eight hours in a row? If you've been doing this for any amount of time,...
Proxy Services Are Not Safe. Try These Alternatives - Wired
Millions of people across the world use free proxy services to bypass censorship filters, improve online security, and access websites that aren't available in their country. But an analysis has foun...
Alexander Vindman Discusses Testifying On The Central Phone Call In Trump Impeachment - NPR
NPR's Mary Louise Kelly speaks with Lt. Col. Alexander Vindman about his memoir Here, Right Matters: An American Story, which describes his role in the impeachment of former President Trump. MAR...
sikka. ai Launches New Is very of Its Award-Winning Sikka API Platform To Optimize Fitness Connectiv...
The Sikka API Ideal provides a single API available for quickly building secure pc care apps for over 90% of the estomatológico, veterinary, orthodontics, oral surgical treatments, chiropractic...
Dustin May Has Finally Discovered His Strikeouts - FanGraphs
The quality of Dustin May’s raw stuff is undeniable. He throws his sinker with the highest average velocity of any starter in the majors and it’s ridiculous tailing action makes it one of the most GI...
Become S-1/A F45 Training Groupe - StreetInsider. com
Promotional Assimilation In connection with the MWIG investment decision, on March  15, 2019, we entered into the Resources Agreement with Mark Wahlberg, a member of our board including ...
GSI Technology : 2021 Annual Report and Proxy Statement -
Fiscal 2021 Annual Report and Proxy Statement July 19, 2021 To Our Stockholders: Fiscal Year 2021 was a year of new opportunities in the face of a global pandemic that impacted all ...
The way you can sign up for Britbox South Africa hailing from Zimbabwe - Technology Mvuma, zimbabwe
I were raised on British TV shows before former Minister Jonathan Moyo came and ruined ZBC with his local content additionally jingles push. We had regarding black and white Peacock TV that most ...
Chris Sale Strikes Out Six Over 3.2 Shutout Innings For Portland Sea Dogs - CBS Boston
BOSTON (CBS) — Chris Sale made his second rehab start on Tuesday, taking the mound for the Double-A Sea Dogs in Portland. Though his uniform was a little different than what Red Sox fans are used t...
Fix Steam Captcha not working - TWCN Tech News
Steam is one of the most popular and widely used gaming apps out there, and for good reason too. Not only can you play games there but also create them. While some games are free, others are to be pa...
TrickBot Spruces Up Its Banking Trojan malware Module - Threatpost
The conductor of your personal data may possibly be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the dealing of personal data can be found in any policy . In ad...

IP Rotating Proxy Onsale


First month free with coupon code FREE30