[ Instantly Open a Secret international Anonymous Offshore Bank account in Foreign Currency, and Transfer Money overseas to keep your Wealth Safe, Avoid Tax, and enjoy High Interest Savings Rates & Anonymous Banking ]
A download manager site provided Linux users with malware that covertly stole passwords and other sensitive information for more than three years as part of a supply chain attack.
The modus operandi consisted of setting up a reverse shell for an actor-controlled server and installing a Bash stealer on the compromised system. The campaign, which took place between 2020 and 2022, is no longer active.
[ Opening a High-Yield Anonymous Offshore Bank Account with the Best Savings Interest Rates , plus many International Banking features like Instant Offshore Account & High Interest Rates ]“This stealer collects data such as system information, browsing history, saved passwords, cryptocurrency wallet files and credentials for cloud services (AWS, Google Cloud, Oracle Cloud Infrastructure, Azure)” Kaspersky researchers Georgy Kucherin and Leonid Bezvershenko said.
The website in question is freedownloadmanager[.]org, which according to the Russian cybersecurity company offers legitimate Linux software called “Free Download Manager”, but as of January 2020 it started redirecting some users who tried to download it to another domain deb.fdmpkg[.]org that served a booby-trapped Debian package.
It is suspected that the authors of the malware developed the attack based on certain predefined filtering criteria (e.g. a digital fingerprint of the system) to selectively direct potential victims to the malicious version. The fraudulent redirects ended in 2022 for unexplained reasons.
The Debian package includes a post-install script that is run at installation to remove two ELF files, /var/tmp/bs and a DNS-based backdoor (/var/tmp/crond) that provides a reverse shell to a command-and-control (C2) server launches, which are received in response to a DNS request to one of four domains –
- 2c9bf1811ff428ef9ec999cc7544b43950947b0f.u.fdmpkg[.]org
- c6d76b1748b67fbc21ab493281dd1c7a558e3047.u.fdmpkg[.]org
- 0727bedf5c1f85f58337798a63812aa986448473.u.fdmpkg[.]org
- c3a05f0dac05669765800471abc1fdaba15e3360.u.fdmpkg[.]org
“The communication protocol is, depending on the connection type, SSL or TCP,” the researchers said. “In the case of SSL, the crond-backdoor launches the /var/tmp/bs executable and delegates all further communication to it. Otherwise, the reverse shell is created by the crond-backdoor itself.”
The ultimate goal of the attack is to deploy stealer malware and collect sensitive data from the system. The collection information is then uploaded to the attacker’s server using a binary file downloaded from the C2 server.
crond, Kaspersky said, is a variant of a backdoor known as Bew that used to be inside circulation since 2013while that was an early version of the Bash stealer malware previously documented by Yoroi in June 2019.
Identity is the new endpoint: Mastering SaaS security in the modern age
Dive deep into the future of SaaS security with Maor Bin, CEO of Adaptive Shield. Discover why identity is the new endpoint. Secure your spot now.
It is not immediately clear how the compromise actually came about and what the end goals of the campaign were. What is clear is that not everyone who downloaded the software received the fraudulent package, allowing it to evade detection for years.
“Although the campaign is currently inactive, this case of Free Download Manager shows that it can be quite difficult to detect persistent cyber attacks on Linux machines with the naked eye,” the researchers said.
“It is therefore essential that Linux machines, both desktop and server, are equipped with reliable and efficient security solutions.”
Filmy One (FilmyOne.com) – Exclusive Entertainment Site
