Free download management site compromised to distribute Linux malware to users for over 3 years
A download management site served malware to Linux users that stealthily stole passwords and other sensitive information for more than three years in a supply chain attack.
The modus operandi involved establishing a reverse shell on an actor-controlled server and installing a Bash thief on the compromised system. The campaign, which ran between 2020 and 2022, is no longer active.
“This thief collects data such as system information, browsing history, saved passwords, cryptocurrency wallet files, as well as credentials of cloud services (AWS, Google Cloud, Oracle Cloud Infrastructure, Azure)”, Kaspersky researchers Georgy Kucherin and Leonid Bezvershenko. said.
The website in question is freedownloadmanager(.)org, which the Russian cybersecurity company claims offers legitimate Linux software called “Free Download Manager”, but began redirecting some users who attempted to download it starting in January 2020 to another area. deb.fdmpkg(.)org which served a trapped Debian package.
It is suspected that the malware authors designed the attack based on some predefined filtering criteria (e.g., a system fingerprint) to selectively direct potential victims to the malicious version. The malicious redirects ended in 2022 for inexplicable reasons.
The Debian package contains a post-installation script which is run during its installation to remove two ELF files, /var/tmp/bs and a DNS-based backdoor (/var/tmp/crond) that launches a reverse shell to a command and control (C2) server , which is received in response to a DNS query to one of four domains –
- 2c9bf1811ff428ef9ec999cc7544b43950947b0f.u.fdmpkg(.)org
- c6d76b1748b67fbc21ab493281dd1c7a558e3047.u.fdmpkg(.)org
- 0727bedf5c1f85f58337798a63812aa986448473.u.fdmpkg(.)org
- c3a05f0dac05669765800471abc1fdaba15e3360.u.fdmpkg(.)org
“The communication protocol is, depending on the type of connection, SSL or TCP,” the researchers said. “In the case of SSL, the crond backdoor launches the /var/tmp/bs executable and delegates all subsequent communications to it. Otherwise, the reverse shell is created by the crond backdoor itself.”
The ultimate goal of the attack is to deploy stealing malware and harvest sensitive data from the system. The collected information is then uploaded to the attacker’s server using an upload binary downloaded from the C2 server.
crond, Kaspersky said, is a variation of a backdoor known as Bew that has been traffic Since 2013while an early version of the Bash thief malware was already documented by Yoroi in June 2019.
Identity is the New Endpoint: Mastering SaaS Security in the Modern Age
Dive into the future of SaaS security with Maor Bin, CEO of Adaptive Shield. Find out why identity is the new endpoint. Reserve your place now.
It is unclear how the compromise actually came about or what the ultimate goals of the campaign were. What is obvious is that not everyone who downloaded the software received the malicious package, allowing it to evade detection for years.
“Although the campaign is currently inactive, this case of Free Download Manager demonstrates that it can be quite difficult to detect cyberattacks in progress on Linux machines with the naked eye,” the researchers said.
“It is therefore essential that Linux machines, whether desktop or server, are equipped with reliable and effective security solutions.”
