Linux is home to malware that steals passwords and other sensitive data. He had been working in complete discretion for more than three years.
Without knowing it, users of Linux can have that Malware in their computers. It was Kaspersky researchers who sounded the alarm in a report published on September 12th. This major security flaw in the operating system is related to the software Free download manager.
An infected version of Free Download Manager
FDM is a download management software. It can be downloaded for free from the website freedownloadmanager.org. The cause of the problem dates back to 2020. The site redirected some visitors to other links (deb.fdmpkg.org) with a version of the software that contains the data-stealing malware. These links were:
- 2c9bf1811ff428ef9ec999cc7544b43950947b0f.u.fdmpkg.org
- c6d76b1748b67fbc21ab493281dd1c7a558e3047.u.fdmpkg.org
- 0727bedf5c1f85f58337798a63812aa986448473.u.fdmpkg.org
- c3a05f0dac05669765800471abc1fdaba15e3360.u.fdmpkg.org
This hacked version contained a script that downloaded two executable files into the paths /var/tmp/crond And /var/tmp/bs. The script then took advantage of the task scheduler Cron to run the file in /var/tmp/crond every ten minutes. The malware then took control of the computers running the infected software.
After receiving the IP address, the backdoor could start a Reverse shell. Hackers were then able to remotely control an infected computer.
After the malware was discovered, security experts conducted observations. They activated the backdoor on a test computer. The aim of the maneuver was obviously to understand the behavior of the malware.
The malware collects a variety of data. This ranges from simple browsing history to system information and passwords – especially for cloud services like Google Cloud Or Amazon Web Services. In addition, the virus hides in FDM attacks Cryptocurrency wallet files.
On the other hand, once the data collection is complete, the malware installs a binary file C2 server and save it /var/tmp/atd. This file allows stolen data to be uploaded. Here’s how hackers restore them.
Cyber attacks are difficult to detect on Linux
Kaspersky researchers were unable to determine why some visitors were redirected to the infected version of FDM. However, the type of malware is known. This is an update from Bevanother malware discovered in 2014. Recall that hackers used them in a massive attack in 2017.
On the other hand, those responsible for the Free Download Manager did not fail to react after the Kaspersky researchers’ report was published. This is explained in a press release Ukrainian hackers It is believed to be the source of infected software. This security gap is no longer a problem, assures FDM.
“The case of Free Download Manager shows that it can be very difficult to detect cyberattacks on Linux computers,” says the security report.