Free Download Manager site compromised to distribute Linux malware to users for over three years

September 14, 2023THNSupply chain/malware

A download manager site provided Linux users with malware that covertly stole passwords and other sensitive information for more than three years as part of a supply chain attack.

The modus operandi consisted of setting up a reverse shell for an actor-controlled server and installing a Bash stealer on the compromised system. The campaign, which took place between 2020 and 2022, is no longer active.

“This stealer collects data such as system information, browsing history, saved passwords, cryptocurrency wallet files and credentials for cloud services (AWS, Google Cloud, Oracle Cloud Infrastructure, Azure)” Kaspersky researchers Georgy Kucherin and Leonid Bezvershenko said.

The website in question is freedownloadmanager[.]org, which according to the Russian cybersecurity company offers legitimate Linux software called “Free Download Manager”, but as of January 2020 it started redirecting some users who tried to download it to another domain deb.fdmpkg[.]org that served a booby-trapped Debian package.

It is suspected that the authors of the malware developed the attack based on certain predefined filtering criteria (e.g. a digital fingerprint of the system) to selectively direct potential victims to the malicious version. The fraudulent redirects ended in 2022 for unexplained reasons.


The Debian package includes a post-install script that is run at installation to remove two ELF files, /var/tmp/bs and a DNS-based backdoor (/var/tmp/crond) that provides a reverse shell to a command-and-control (C2) server launches, which are received in response to a DNS request to one of four domains –

  • 2c9bf1811ff428ef9ec999cc7544b43950947b0f.u.fdmpkg[.]org
  • c6d76b1748b67fbc21ab493281dd1c7a558e3047.u.fdmpkg[.]org
  • 0727bedf5c1f85f58337798a63812aa986448473.u.fdmpkg[.]org
  • c3a05f0dac05669765800471abc1fdaba15e3360.u.fdmpkg[.]org

“The communication protocol is, depending on the connection type, SSL or TCP,” the researchers said. “In the case of SSL, the crond-backdoor launches the /var/tmp/bs executable and delegates all further communication to it. Otherwise, the reverse shell is created by the crond-backdoor itself.”

The ultimate goal of the attack is to deploy stealer malware and collect sensitive data from the system. The collection information is then uploaded to the attacker’s server using a binary file downloaded from the C2 server.

crond, Kaspersky said, is a variant of a backdoor known as Bew that used to be inside circulation since 2013while that was an early version of the Bash stealer malware previously documented by Yoroi in June 2019.


Identity is the new endpoint: Mastering SaaS security in the modern age

Dive deep into the future of SaaS security with Maor Bin, CEO of Adaptive Shield. Discover why identity is the new endpoint. Secure your spot now.

Boost your skills

It is not immediately clear how the compromise actually came about and what the end goals of the campaign were. What is clear is that not everyone who downloaded the software received the fraudulent package, allowing it to evade detection for years.

“Although the campaign is currently inactive, this case of Free Download Manager shows that it can be quite difficult to detect persistent cyber attacks on Linux machines with the naked eye,” the researchers said.

“It is therefore essential that Linux machines, both desktop and server, are equipped with reliable and efficient security solutions.”

Did you find this article interesting? follow us on Tweet And LinkedIn to read more exclusive content we post.

Filmy One ( – Exclusive Entertainment Site

Filmy One

Filmy One

The Filmy One team is a group of talented and passionate editors who write about the latest in lifestyle, movies, music, cinema, entertainment, TV, video games, technology and more! With years of experience in the entertainment industry, this team of experts provides insightful, engaging, and informative content for readers looking to stay up-to-date on all things film and entertainment. At Filmy One, the team is dedicated to bringing you the latest news, reviews, and opinions on the latest releases in film, television, music and shopping. Whether you're a movie buff, music lover, or simply enjoy all things entertainment, the Filmy One team has you covered.