FontOnLake

Vladislav Hrčka

ESET

Abstract:

FontOnLake is a previously unknown malware family targeting operating systems running Linux. Its first  known file was spotted last year and several other samples were discovered afterwards throughout the  year. The group’s tools haven’t been fully described before and their sneaky nature in combination with  advanced design and low prevalence suggest that they might be used in targeted attacks. Locations of  its C&C servers and the countries from which the samples were uploaded to VirusTotal indicate that the  group operates at least in Southeast Asia.

In our presentation we describe custom components developed by the group and the way they cooperate. Each infiltration features modified legitimate binaries that are adjusted to load backdoors and rootkits or collect ssh credentials and other data. We identified three different backdoors that are written in C++ and all use the Asio library from Boost in a similar way for asynchronous network and low level I/O; other standard and external libraries such as Poco and Protobuf are heavily used as well. These backdoors are always accompanied by a rootkit that hides its files and network connections. We differentiate between two versions of the rootkit, and it can additionally contain some interesting features such as receiving magic packets, which are specially crafted packets that can instruct the rootkit to download and execute another backdoor.