{"id":507970,"date":"2023-09-14T14:00:45","date_gmt":"2023-09-14T12:00:45","guid":{"rendered":"https:\/\/mybroadband.co.za\/news\/?p=507970"},"modified":"2023-09-14T14:04:59","modified_gmt":"2023-09-14T12:04:59","slug":"website-served-password-stealing-linux-malware-for-3-years","status":"publish","type":"post","link":"https:\/\/mybroadband.co.za\/news\/security\/507970-website-served-password-stealing-linux-malware-for-3-years.html","title":{"rendered":"Website served password-stealing Linux malware for 3 years"},"content":{"rendered":"

Security researchers at Kaspersky have discovered a seemingly benign website<\/strong><\/a> has been serving Linux users with malware for over three years.<\/p>\n

The official Free Download Manager website (freedownloadmanager[.]org) initially only offered a non-harmful version of the Linux Free Download Manager on a Debian repository for several years.<\/p>\n

However, from early 2020, the domain sometimes redirected users to the deb.fdmpkg[.]org<\/em> subdomain, containing malicious versions of the app.<\/p>\n

These versions contained an unfiltered post-install script.<\/p>\n

“This script drops two ELF files to the paths \/var\/tmp\/crond<\/em> and \/var\/tmp\/bs<\/em>,” the researchers explained. ELF files are executable files or programs Linux systems can run.<\/p>\n

“It then establishes persistence by creating a cron task (stored in the file \/etc\/cron.d\/collect) that launches the \/var\/tmp\/crond<\/em> file every 10 minutes.”<\/p>\n

The executable in \/var\/tmp\/crond<\/em> is then launched every time the infected Linux machine starts up and acts as a backdoor.<\/p>\n

The attackers use the backdoor to deploy a Bash stealer, which can collect system information such as a user’s browsing history, saved passwords, cryptocurrency wallet files, and credentials for cloud services (AWS, Google Cloud, Oracle Cloud Infrastructure, Azure).<\/p>\n

Kaspersky’s researchers established the version of Free Download Manager installed by the infected package was released in January 2020.<\/p>\n

The postinst<\/em> script contains comments in Russian and Ukrainian, including information about improvements made to the malware, as well as activist statements.<\/p>\n

Kaspersky also found several tutorials on downloading Free Download Manager on YouTube, which showed the creators downloading the infected versions of the software.<\/p>\n

However, not all users were redirected to download the malicious file instead of the uninfected version.<\/p>\n

“It is possible that the malware developers scripted the malicious redirection to appear with some degree of probability or based on digital fingerprint of the potential victim,” the researchers said.<\/p>\n

They advised that users who have downloaded the malicious file remove the \/etc\/cron.d\/collect<\/em>, \/var\/tmp\/crond<\/em> and \/var\/tmp\/bs\u00a0<\/em>to avoid future attacks, despite the campaign currently being inactive.<\/p>\n

The developers behind the official Free Download Manager website have not acknowledged that their website had been compromised, despite Kaspersky contacting them about the issue.<\/p>\n

Kaspersky also provided lists of file hashes, domains, and IP addresses to help potentially affected users determine whether their machines had been compromised and if further action was necessary.<\/p>\n

File checksums<\/strong><\/p>\n