Website served password-stealing Linux malware for 3 years
Security researchers at Kaspersky have discovered a seemingly benign website has been serving Linux users with malware for over three years.
The official Free Download Manager website (freedownloadmanager[.]org) initially only offered a non-harmful version of the Linux Free Download Manager on a Debian repository for several years.
However, from early 2020, the domain sometimes redirected users to the deb.fdmpkg[.]org subdomain, containing malicious versions of the app.
These versions contained an unfiltered post-install script.
“This script drops two ELF files to the paths /var/tmp/crond and /var/tmp/bs,” the researchers explained. ELF files are executable files or programs Linux systems can run.
“It then establishes persistence by creating a cron task (stored in the file /etc/cron.d/collect) that launches the /var/tmp/crond file every 10 minutes.”
The executable in /var/tmp/crond is then launched every time the infected Linux machine starts up and acts as a backdoor.
The attackers use the backdoor to deploy a Bash stealer, which can collect system information such as a user’s browsing history, saved passwords, cryptocurrency wallet files, and credentials for cloud services (AWS, Google Cloud, Oracle Cloud Infrastructure, Azure).
Kaspersky’s researchers established the version of Free Download Manager installed by the infected package was released in January 2020.
The postinst script contains comments in Russian and Ukrainian, including information about improvements made to the malware, as well as activist statements.
Kaspersky also found several tutorials on downloading Free Download Manager on YouTube, which showed the creators downloading the infected versions of the software.
However, not all users were redirected to download the malicious file instead of the uninfected version.
“It is possible that the malware developers scripted the malicious redirection to appear with some degree of probability or based on digital fingerprint of the potential victim,” the researchers said.
They advised that users who have downloaded the malicious file remove the /etc/cron.d/collect, /var/tmp/crond and /var/tmp/bs to avoid future attacks, despite the campaign currently being inactive.
The developers behind the official Free Download Manager website have not acknowledged that their website had been compromised, despite Kaspersky contacting them about the issue.
Kaspersky also provided lists of file hashes, domains, and IP addresses to help potentially affected users determine whether their machines had been compromised and if further action was necessary.
File checksums
- b77f63f14d0b2bde3f4f62f4323aad87194da11d71c117a487e18ff3f2cd468d (Malicious Debian Package)
- 2214c7a0256f07ce7b7aab8f61ef9cbaff10a456c8b9f2a97d8f713abd660349 (crond backdoor)
- 93358bfb6ee0caced889e94cd82f6f417965087203ca9a5fce8dc7f6e1b8a3ea (bs backdoor)
- d73be6e13732d365412d71791e5eb1096c7bb13d6f7fd533d8c04392ca0b69b5 (atd uploader)
File paths
- /etc/cron.d/collect
- /var/tmp/crond
- /var/tmp/bs
- /var/tmp/atd
Network indicators (domains and IP addresses)
- fdmpkg.org
- 172.111.48.101
Now read: Vumacam launches in Tshwane
Loading ...