Malware Scheme Targets Linux Users via Download Site
No attachments for this post
For over three years, a download platform, freedownloadmanager[.]org, covertly distributed malware to Linux users, which stole sensitive information such as passwords. This was revealed by researchers on Tuesday.
Although the website primarily provided a genuine version of the 'Free Download Manager' for Linux, starting from 2020, it occasionally redirected visitors to deb.fdmpkg[.]org—a site hosting a malicious version of the software. The compromised software would embed a script in users' systems, leading to an unauthorized backdoor. This would launch every 10 minutes, putting devices at permanent risk.
This backdoor granted hackers remote access, as demonstrated in a controlled experiment by the Kaspersky research team. The malware would gather a variety of information, including browser histories, saved passwords, cryptocurrency wallets, and cloud service credentials. Once collected, this data was then transferred to the attackers' infrastructure.
Interestingly, not all users visiting freedownloadmanager[.]org were redirected to the malicious site. Some received the genuine software, while others were directed to one of four known compromised domains. The reason behind this selection remains a mystery, and the malicious redirects ceased in 2022.
The origin of this malware traces back to a version called Bew, first identified in 2014 and previously utilized in a 2017 attack. This latest campaign seems to be an evolution, with an additional module integrated in 2019 after exploiting a weak point in the Exim Mail Server.
Despite the campaign currently being dormant, this incident underscores the challenges in identifying cyber threats on Linux systems. The researchers also provided a list of file hashes, domains, and IP addresses to help users ascertain if they've been affected. This attack seems to be part of a larger supply chain operation, and attempts to communicate with the website's administrators have gone unanswered.
Comments on this post
No comments have been added for this post.
You must be logged in to make a comment.