https://www.welivesecurity.com/wp-content/uploads/2021/10/eset_fontonlake.pdf
EXECUTIVE SUMMARY
FontOnLake is a malware family utilizing well-designed custom modules that are constantly under
development. It targets systems running Linux and provides remote access to those systems for its
operators, collects credentials, and serves as a proxy server. Its presence is always accompanied by a
rootkit, which conceals its existence.
Their sneaky nature and advanced design suggest that these tools are used in targeted attacks; the
location of the C&C server and the countries from which the samples were uploaded to VirusTotal might
indicate that its operators target at least Southeast Asia.
We believe that its operators are overly cautious since almost all samples seen use different, unique C&C
servers with varying non-standard ports. The authors use mostly C/C++ and various third-party libraries
such as Boost, Poco and Protobuf. None of the C&C servers used in samples uploaded to VirusTotal were
active at the time of writing, indicating that they could have been disabled due to the upload. We
conducted several internet-wide scans that imitated initial communication of its network protocols
targeting the observed non-standard ports in order to identify C&C servers and victims. We managed
to find only one active C&C server, which mostly just maintained connectivity via custom heartbeat
commands and did not provide any updates on explicit requests…
