Carding
Professional
- Messages
- 2,870
- Reaction score
- 2,511
- Points
- 113
Kaspersky Lab researchers uncovered an attack on the supply chain as part of a campaign that has been going on for more than 3 years.
During this period, the Free Download Manager site redirected Linux users to the Debian package repository with malware to steal information. Redirects stopped in 2022.
As noted by LC resellers, the official download page of freedownloadmanager [.] org, in some cases redirected those who tried to download the Linux version of the software to the deb domain.fdmpkg[.] org with a malicious Debian package. At the same time, the criteria for differentiating infections are still unclear.
Among other things, the researchers identified numerous publications in social networks, Reddit, StackOverflow, 1 YouTube, 2 YouTube and Unix Stack Exchange with the promotion of a malicious domain as a reliable source for downloading Free Download Manager, as well as messages illustrating user infections.
The malicious Debian package itself, which is used to install Linux distributions, contains a Bash script to steal information and a crond backdoor that installs a reverse shell from the C2 server. The crond component creates a new job on the system that starts the theft script at system startup.
At the same time, as the researchers found out, the script contains comments in Russian and Ukrainian, including information about improvements made to the malware, as well as statements from activists.
Researchers believe the crond backdoor is a strain of Bew malware that has been circulating since 2013, and the Bash hijacker was discovered in the wild and first analyzed back in 2019. So, the toolset is not new.
Bash Steer, which was studied by the Laboratory, collects information about the system, browsing history, browser passwords, RMM authentication keys, shell history, crypto wallet data, as well as for cloud services (AWS, Google Cloud, Oracle Cloud Infrastructure, Azure).
The collected data is then uploaded to the attackers ' server for further use in attacks or sale in the cyber underground.
According to LC telemetry, the victims of this campaign are scattered all over the world, including Brazil, China, Saudi Arabia and Russia.
Although the campaign is currently inactive, the researchers recommend that users who installed Free Download Manager for Linux between 2020 and 2022 make sure that there is no malware.
During this period, the Free Download Manager site redirected Linux users to the Debian package repository with malware to steal information. Redirects stopped in 2022.
As noted by LC resellers, the official download page of freedownloadmanager [.] org, in some cases redirected those who tried to download the Linux version of the software to the deb domain.fdmpkg[.] org with a malicious Debian package. At the same time, the criteria for differentiating infections are still unclear.
Among other things, the researchers identified numerous publications in social networks, Reddit, StackOverflow, 1 YouTube, 2 YouTube and Unix Stack Exchange with the promotion of a malicious domain as a reliable source for downloading Free Download Manager, as well as messages illustrating user infections.
The malicious Debian package itself, which is used to install Linux distributions, contains a Bash script to steal information and a crond backdoor that installs a reverse shell from the C2 server. The crond component creates a new job on the system that starts the theft script at system startup.
At the same time, as the researchers found out, the script contains comments in Russian and Ukrainian, including information about improvements made to the malware, as well as statements from activists.
Researchers believe the crond backdoor is a strain of Bew malware that has been circulating since 2013, and the Bash hijacker was discovered in the wild and first analyzed back in 2019. So, the toolset is not new.
Bash Steer, which was studied by the Laboratory, collects information about the system, browsing history, browser passwords, RMM authentication keys, shell history, crypto wallet data, as well as for cloud services (AWS, Google Cloud, Oracle Cloud Infrastructure, Azure).
The collected data is then uploaded to the attackers ' server for further use in attacks or sale in the cyber underground.
According to LC telemetry, the victims of this campaign are scattered all over the world, including Brazil, China, Saudi Arabia and Russia.
Although the campaign is currently inactive, the researchers recommend that users who installed Free Download Manager for Linux between 2020 and 2022 make sure that there is no malware.
