Free Download Manager Site Redirected Users To Malware.
The discovery was made by Kaspersky Labs, while investigating different domains for suspicious activities.
This particular malware was used during a three year long campaign. It establishes a reverse shell to a C2 server and installs a Bash stealer. This then collects the user data, account credentials and then send it to the threat actors server.
The domains that were investigated:
2c9bf1811ff428ef9ec999cc7544b43950947b0f.u.fdmpkg[.]org
c6d76b1748b67fbc21ab493281dd1c7a558e3047.u.fdmpkg[.]org
0727bedf5c1f85f58337798a63812aa986448473.u.fdmpkg[.]org
c3a05f0dac05669765800471abc1fdaba15e3360.u.fdmpkg[.]org
The domain identified to spread Malware targeting Debian based Linux distributions was the deb.[fdmpkg].org sub-domain.
The version of Free Download Manager installed by the infected package was released on January 24, 2020. Meanwhile, the postinst script contains comments in Russian and Ukrainian, including information about improvements made to the malware, as well as activist statements. They mention the dates 20200126 (January 26, 2020) and 20200127 (January 27, 2020).
The security researchers noticed that not all people got redirected, it seems it targeted specific users with malicious downloads based on unknown criteria.
Furthermore they discovered posts on social media ( Reddit, StackOverflow, YouTube, and Unix Stack Exchange ), where users had installed the infected version 6.x and was having problems, asking other users for help. While the files were identified as the cause of their problems, nobody noticed that the files were malicious.
The whole infection chain as described by Kasperky:
The Bash stealer collects system info, browsing history, passwords saved on browsers, RMM authentication keys, shell history, cryptocurrency wallet data, and account credentials for AWS, Google Cloud, Oracle Cloud Infrastructure and Azure cloud services.
Files to look for on your system:
- /etc/cron.d/collect
- /var/tmp/crond
- /var/tmb/bs
You need to manually delete these if they are present on your system.
The question still remains as to why nobody in the cybersecurity community didn't discover this earlier.
Kaspersky Labs says it could be because of one of the following reasons:
"As opposed to Windows, Linux malware is much more rarely observed;
Infections with the malicious Debian package occurred with a degree of probability: some users received the infected package, while others ended up downloading the benign one;
Social network users discussing Free Download Manager issues did not suspect that they were caused by malware."
The "Free Download Manager campaign" is currently inactive, but shows that it can be quite difficult to detect any ongoing cyberattacks on Linux machines, if you do not have proper security solutions installed.
Read the whole post from Kaspersky here.
- Title: Free Download Manager Site Redirected Users To Malware
- Posted by:
- Date: 3:01 PM
- Tags: Linux SoftwareLinux NewsNewsMalwareSpyware
