FontOnLink Linux Malware Has Been Active Since May

Linux malware is a fairly rare sight when talking about cybersecurity. However, there are multiple Advanced Persistent Threat (APT) actors specializing in the development of malware for Linux. One of the latest threats to be the product of such a group is the FontOnLink Malware. It appears to feature a modular structure, thus enabling its operators to expand or shrink its functionality on-the-fly. The implant is undergoing regular updates and improvements, and it appears to focus on remote access to compromised machines.

It is important to add that the FontOnLink Malware is not widely spread. In fact, it has been involved in a very small number of targeted attacks. This is another reason to assume that its creators are only using it against handpicked targets, instead of launching an all-out propagation campaign.

FontOnLink Combines Backdoor and Rootkit Functionality

It appears that the payload has three primary components, which serve separate purposes. The first one consists of Trojanized apps that work like normal software, but also execute malicious tasks in the background. These tasks include collecting data, modifying settings, and more. The second group is backdoors, which enable the execution of remote code. The last one are rootkits, which grant the FontOnLink Malware persistence, and greatly enhance its stealth.

Although the first instances of the FontOnLink Malware date back to May 2021, there is still no information about the methods that the criminals use to approach their victims. However, judging by the highly targeted attacks, it is safe to assume that they are either exploiting security vulnerabilities, or relying on phishing content.

Some of FontOnLink Malware's primary abilities include:

  • Stealing files.
  • Remote access to compromised machines.
  • Modifying files – upload, download, creation/deletion, and more.
  • Running a proxy server.
  • Executing remote commands and pre-made scripts (usually written in Python.)

While the FontOnLink Malware does not target regular Linux users, it still joins a long list of threats able to infect this operating system. Linux users should not rely on just the OS' robust security features – they should also invest in 3rd-party security software.

October 8, 2021