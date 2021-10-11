Gone are the days when viruses were almost exclusively Windows. Over time, and with the number of users increasing on Linux and Mac, threats become more diverse, stealthier, and more flexible.

Now there is a malware that is being used in targeted attacks against Linux systems, and its name is FontOnLake.

The cybersecurity firm ESET says that the malware is still under development, but at the moment it already has remote access options, credential stealing functions and is capable of initializing proxy servers.

We see the first mention on VirusTotal in May 2020, but it was still a version without so many features. It is now more comprehensive, and it is attacking Linux systems in Southeast Asia.

The samples obtained use different server addresses and various ports, but the virus creators are already known to use C / C ++ and various libraries, such as Boost and Protobuf.

It is a modular malware that infects the machine and executes malicious code. It installs Trojans that load back doors and collect information, and according to what the responsible team says, the infected applications have been infected at the source code level, so they have to have been compiled to later replace the original ones.

FontOnLake is combined with a kernel-mode rootkit, and that makes it possible to stay active on the infected Linux machine. According to Avast, the rootkit is based on the open source Suterusu project.

You can get more information in this PDF.