1 week ago
18
A download manager tract served Linux users malware that stealthily stole passwords and different delicate accusation for much than 3 years arsenic portion of a proviso concatenation attack.
The modus operandi entailed establishing a reverse ammunition to an actor-controlled server and installing a Bash stealer connected the compromised system. The campaign, which took spot betwixt 2020 and 2022, is nary longer active.
"This stealer collects information specified arsenic strategy information, browsing history, saved passwords, cryptocurrency wallet files, arsenic good arsenic credentials for unreality services (AWS, Google Cloud, Oracle Cloud Infrastructure, Azure)," Kaspersky researchers Georgy Kucherin and Leonid Bezvershenko said.
The website successful question is freedownloadmanager[.]org, which, according to the Russian cybersecurity firm, offers a morganatic Linux bundle called "Free Download Manager," but starting successful January 2020, began redirecting immoderate users who attempted to download it to different domain deb.fdmpkg[.]org that served a booby-trapped Debian package.
It's suspected that the malware authors engineered the onslaught based connected definite predefined filtering criteria (say, a integer fingerprint of the system) to selectively pb imaginable victims to the malicious version. The rogue redirects ended successful 2022 for inexplicable reasons.
The Debian bundle contains a post-install script that's executed upon its installation to driblet 2 ELF files, /var/tmp/bs and a DNS-based backdoor (/var/tmp/crond) that launches a reverse ammunition to a command-and-control (C2) server, which is received successful effect to a DNS petition to 1 of the 4 domains -
- 2c9bf1811ff428ef9ec999cc7544b43950947b0f.u.fdmpkg[.]org
- c6d76b1748b67fbc21ab493281dd1c7a558e3047.u.fdmpkg[.]org
- 0727bedf5c1f85f58337798a63812aa986448473.u.fdmpkg[.]org
- c3a05f0dac05669765800471abc1fdaba15e3360.u.fdmpkg[.]org
"The connection protocol is, depending connected the transportation type, either SSL oregon TCP," the researchers said. "In the lawsuit of SSL, the crond backdoor launches the /var/tmp/bs executable and delegates each further communications to it. Otherwise, the reverse ammunition is created by the crond backdoor itself."
The eventual extremity of the onslaught is to deploy a stealer malware and harvest delicate information from the system. The postulation accusation is past uploaded to the attacker's server utilizing an uploader binary downloaded from the C2 server.
crond, Kaspersky said, is simply a variant of a backdoor known arsenic Bew that has been successful circulation since 2013, portion an aboriginal mentation of the Bash stealer malware was previously documented by Yoroi successful June 2019.
UPCOMING WEBINARIdentity is the New Endpoint: Mastering SaaS Security successful the Modern Age
Dive heavy into the aboriginal of SaaS information with Maor Bin, CEO of Adaptive Shield. Discover wherefore individuality is the caller endpoint. Secure your spot now.
Supercharge Your SkillsIt's not instantly wide however the compromise really took spot and what the extremity goals of the run were. What's evident is that not everyone who downloaded the bundle received the rogue package, enabling it to evade detection for years.
"While the run is presently inactive, this lawsuit of Free Download Manager demonstrates that it tin beryllium rather hard to observe ongoing cyberattacks connected Linux machines with the bare eye," the researchers said.
"Thus, it is indispensable that Linux machines, some desktop and server, are equipped with reliable and businesslike information solutions."
Found this nonfiction interesting? Follow america connected Twitter and LinkedIn to work much exclusive contented we post.
English (US)