Unpacking Three Years of Stealthy Activity
For more than three years, Linux users who downloaded software from the Free Download Manager site unwittingly exposed themselves to a malicious operation that stole sensitive information. This insidious attack, which went undetected for an extended period, serves as a cautionary tale for cybersecurity practices concerning Linux systems.
Anatomy of the Attack
The Free Download Manager site is a well-known platform that offers a Linux software also called “Free Download Manager.” However, beginning in January 2020, the website's operations took a dark turn. It started funneling some users to a separate domain, deb.fdmpkg[.]org, that distributed malicious Debian packages. According to cybersecurity researchers Georgy Kucherin and Leonid Bezvershenko from Kaspersky, this was part of a larger supply chain attack that targeted Linux users.
The attack campaign relied on a sophisticated modus operandi. A reverse shell was established, connecting the victim's system to an actor-controlled server. The next step involved installing a Bash stealer malware on the compromised Linux system. This malware harvested a range of data, from system information and browsing history to cryptocurrency wallet files and cloud service credentials.
Stealth and Selectivity: The Malware’s Criteria
Interestingly, the attack appeared to be highly selective, likely utilizing predefined filtering criteria, possibly system-based digital fingerprints, to guide potential victims to the malicious Debian package. This level of selectivity added another layer of complexity, making it challenging for cybersecurity experts to spot the malicious activity. The malicious redirects ceased in 2022 for reasons that remain unclear.
Read more about supply chain attacks
The Malicious Debian Package
The Debian package included a post-install script that executed two ELF files once installed—/var/tmp/bs and a DNS-based backdoor (/var/tmp/crond). These scripts set up a reverse shell to a command-and-control (C2) server. The C2 server was contacted via DNS requests to any of the following four domains:
- 2c9bf1811ff428ef9ec999cc7544b43950947b0f.u.fdmpkg[.]org
- c6d76b1748b67fbc21ab493281dd1c7a558e3047.u.fdmpkg[.]org
- 0727bedf5c1f85f58337798a63812aa986448473.u.fdmpkg[.]org
- c3a05f0dac05669765800471abc1fdaba15e3360.u.fdmpkg[.]org
Learn more about DNS-based backdoors
Communication Protocols and Further Exploits
Once the connection was established, the malware would either use SSL or TCP for communication. In the case of SSL, the script /var/tmp/bs was executed to manage further communication. If TCP was used, the reverse shell was created directly by the crond backdoor. The end game of this elaborate attack was to deploy stealer malware that would hoard sensitive data, which was then uploaded to the attacker's server.
The Bash Stealer and crond Variants
According to Kaspersky, the crond backdoor is a variant of Bew, a malware that's been in circulation since 2013. The Bash stealer itself was not entirely new either, with an earlier version having been documented by cybersecurity firm Yoroi in June 2019.
Detection Evasion Tactics
One of the most unsettling aspects of this Free Download Manager site compromised to distribute Linux malware was its ability to evade detection. Not every user who downloaded from the site received the rogue package, making it difficult for cybersecurity teams to flag the website as a threat. This tactic proved to be quite effective, as the campaign remained unnoticed for years.
The Importance of Security Measures for Linux Systems
This case emphasizes the need for robust security measures for Linux systems. It can be easy to overlook Linux when considering cybersecurity threats due to its reputation for being less susceptible to malware compared to other operating systems. However, as this incident demonstrates, no system is completely invulnerable.
Learn more about Linux Security
Conclusion
The Free Download Manager site compromised to distribute Linux malware serves as a stark reminder of the ever-present risks in the digital landscape, even for Linux systems. While the campaign may be inactive now, the vulnerabilities it exploited and the methods it employed should serve as learning points for both cybersecurity experts and everyday users. Vigilance and robust security measures are not optional; they are necessities in today's cyber-threat-filled environment.
For additional reading on cybersecurity best practices
FAQ
What happened to the Free Download Manager site?
The Free Download Manager website was compromised and was used to distribute Linux malware for over three years.
What kind of malware was being distributed?
A stealthy Linux malware that collects sensitive information like system details, browsing history, saved passwords, and credentials for cloud services was distributed.
How did the malware work?
Once downloaded, the malware establishes a reverse shell to an actor-controlled server and installs a Bash stealer on the compromised system.
Who discovered this malicious activity?
Researchers from Russian cybersecurity firm Kaspersky, Georgy Kucherin and Leonid Bezvershenko, discovered this malware campaign.
When did this activity start and end?
This malicious activity started in January 2020 and ceased in 2022 for unspecified reasons.
Was everyone who downloaded from the site affected?
No, not all users who downloaded the software were affected. The malware authors used certain filtering criteria to target potential victims selectively.
What domains were involved in this campaign?
The domains include 2c9bf1811ff428ef9ec999cc7544b43950947b0f.u.fdmpkg[.]org, c6d76b1748b67fbc21ab493281dd1c7a558e3047.u.fdmpkg[.]org, and others.
What is the ultimate goal of this malware?
The ultimate goal is to steal sensitive data from compromised Linux systems, which is then uploaded to an attacker's server.
What are the implications of this for Linux users?
This case demonstrates the critical importance of equipping both desktop and server Linux machines with reliable and efficient security solutions.
Is the campaign still active?
No, the campaign is currently inactive according to Kaspersky researchers. However, users are advised to remain vigilant.
What steps should I take to protect my Linux machine?
Users are advised to update their software regularly and to install trusted security solutions to detect and mitigate threats.
Is the Free Download Manager site still compromised?
There are no recent reports suggesting the site is still compromised, but caution is advised when downloading software from any site.
What kind of security measures are effective against such attacks?
Using reliable antivirus software and keeping your system up-to-date are basic but effective steps to protect against such malware attacks.
How was this cyberattack different from others targeting Linux systems?
This attack was notable for its duration (3+ years) and its method of selectively targeting users based on predefined criteria, making it difficult to detect.
Kevin Bong was formerly the Director of Corporate Security for Johnson Financial Group, and currently works as an Information Assurance Consultant for SynerComm, Inc. Kevin has a BS in Physics and Computer Science from Carroll University, an MS in Information Security Engineering from the SANS Institute, and has earned multiple certifications including PMP and GIAC GSE. Kevin is also an amateur astronomer, beekeeper, an author and instructor, and a pretty neat dad. Prior to Impulsec, Kevin worked a Penetration Testing “Drop Box” project similar to the Pwnie Express called the MiniPwner.
Leave a Reply