Pierluigi Paganini
September 15, 2023
Researchers from Kaspersky discovered a free download manager site that has been compromised to serve Linux malware. While investigating a set of suspicious domains, the experts identified that the domain in question has a deb.fdmpkg[.]org subdomain.
Visiting the subdomain with the browser, the researchers noticed a page claiming that the domain is hosting a Linux Debian repository of software named ‘Free Download Manager’.
This package turned out to contain an infected postinst script that is executed upon installation. This script drops two ELF files to the paths /var/tmp/crond and /var/tmp/bs. It then establishes persistence by creating a cron task (stored in the file /etc/cron.d/collect) that launches the /var/tmp/crond file every 10 minutes.” reported Kasperksy.
The “Free Download Manager” version installed by the malicious package was released on January 24, 2020. The experts found comments in Russian and Ukrainian, including information about improvements made to the malware, in the postinst script.
Upon installing the malicious package, the executable /var/tmp/crond is launched on every startup through cron. The executable is a backdoor that accesses the Linux API and invokes syscalls using the statically linked dietlibc library.
The crond backdoor creates a reverse shell. The researchers revealed that attackers deployed a Bash stealer on the infected system. The information stealer can collect multiple data such, including system information, browsing history, saved passwords, cryptocurrency wallet files, as well as credentials for cloud services (AWS, Google Cloud, Oracle Cloud Infrastructure, Azure).
“After collecting information from the infected machine, the stealer downloads an uploader binary from the C2 server, saving it to /var/tmp/atd. It then uses this binary to upload stealer execution results to the attackers’ infrastructure.” continues the report.
While investigating how the malware-laced Debian package was distributed to victims the researchers determined the official website of Free Download Manager (freedownloadmanager[.]org) is hosted on the files2.freedownloadmanager[.]org domain and they were not containing any malware.
An open-source research on the fdmpkg[.]org domain revealed a dozen posts on websites such as StackOverflow and Reddit, where users have been discussing problems caused by the infected Free Download Manager distribution These posts were published from 2020 to 2022, which means that the attack remained undetected for more than three years.
Starting in January 2020, the legitimate site of the domain was spotted redirecting some users who attempted to download it to the malicioud domain deb.fdmpkg[.]org that served the compromised Debian packages. The redirect terminated in 2022, but expers have yet to determine the reasong for the interruption of the supply chain attack.
“While checking videos on Free Download Manager that are hosted on YouTube, we identified several tutorials demonstrating how to install this software on Linux machines.” continues the report. “We observed the following actions that happen in all these videos:
The researchers noticed that only some users who downloaded the software received the rogue package, a technique to avoid detection.
At this time the experts have yet to determine how the attackers compromised the domain to redirect the visitors to the rogue subdomain. The victims of this campaign are located all over the world, most of them in Brazil, China, Saudi Arabia and Russia.
“While the campaign is currently inactive, this case of Free Download Manager demonstrates that it can be quite difficult to detect ongoing cyberattacks on Linux machines with the naked eye. Thus, it is essential that Linux machines, both desktop and server, are equipped with reliable and efficient security solutions.” concludes the report that also includes Indicators of Compromise (IoCs.)
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Free Download Manager)
