Ukrainian hackers are behind the Free Download Manager supply chain attack

The recently discovered Free Download Manager (FDM) supply chain attack, which distributed Linux malware, started back in 2020.

The maintainers of Free Download Manager (FDM) confirmed that the recently discovered supply chain attack dates back to 2020.

Recently, researchers from Kaspersky reported the discovery of a free download manager site that has been compromised to serve Linux malware. While investigating a set of suspicious domains, the experts identified that the domain in question has a deb.fdmpkg[.]org subdomain.

Visiting the subdomain with the browser, the researchers noticed a page claiming that the domain is hosting a Linux Debian repository of software named ‘Free Download Manager’

This package turned out to contain an infected postinst script that is executed upon installation. This script drops two ELF files to the paths /var/tmp/crond and /var/tmp/bs. It then establishes persistence by creating a cron task (stored in the file /etc/cron.d/collect) that launches the /var/tmp/crond file every 10 minutes.” reported Kasperksy.

The “Free Download Manager” version installed by the malicious package was released on January 24, 2020. The experts found comments in Russian and Ukrainian, including information about improvements made to the malware, in the postinst script.

Upon installing the malicious package, the executable /var/tmp/crond is launched on every startup through cron. The executable is a backdoor that accesses the Linux API and invokes syscalls using the statically linked dietlibc library.

Now the maintainers of Free Download Manager (FDM) have shared findings from their investigation. They discovered that a Ukrainian hacker group compromised a specific web page on their web site then used it to distribute the malware.

“Today, informed by the findings from Kaspersky Lab, we became aware of a past security incident from 2020. It appears that a specific web page on our site was compromised by a Ukrainian hacker group, exploiting it to distribute malicious software.” reads the announcement published by the maintainers. “Only a small subset of users, specifically those who attempted to download FDM for Linux between 2020 and 2022, were potentially exposed. It’s estimated that much less than 0.1% of our visitors might have encountered this issue. This limited scope is probably why the issue remained undetected until now. Intriguingly, this vulnerability was unknowingly resolved during a routine site update in 2022.”

The maintainers estimate that the website served the malware to a very limited number of visitors, the maintainers believe that much less than 0.1% of their visitors were impacted. For this reason, the supply chain attack remained undetected for years.

The maintainers announced the enhancement of their defenses and the implementation of additional measures to prevent similar security incidents in the future.

Visitors who attempted to download FDM for Linux from the compromised page during the mentioned timeframe are recommended to scan their systems for the presence of malware and update their passwords.

The maintainers determined that the threat actors exploited a vulnerability in a script on their website to inject the malicious code.

The analysis of files that were part of the site before the compromise (dating back to 2020) revealed the presence of a portion of code used to choose whether to give users the correct download link or a link to the malware-laced version of the files.

“To investigate this problem, we accessed data from our project backups dating back to 2020 and found this modified page, which contained an algorithm that chose whether give users correct download link or the one leading to the fake domain deb.fdmpkg.org containing a malicious .deb file. It had an «exception list» of IP addresses from various subnets, including those associated with Bing and Google.” continues the announcement. “Visitors from these IP addresses were always given the correct download link.” continues the announcement.

FDM has released a script to check for indicators of compromise (IoCs).

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Free Download Manager)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Empire Market owners charged with operating $430M dark web marketplace

Federal authorities charged two individuals with operating the dark web marketplace Empire Market that facilitated…

2 hours ago

China-linked Velvet Ant uses F5 BIG-IP malware in cyber espionage campaign

Chinese cyberespionage group Velvet Ant was spotted using custom malware to target F5 BIG-IP appliances…

4 hours ago

LA County’s Department of Public Health (DPH) data breach impacted over 200,000 individuals

The County of Los Angeles’ Department of Public Health (DPH) disclosed a data breach that…

10 hours ago

Spanish police arrested an alleged member of the Scattered Spider group

A joint law enforcement operation led to the arrest of a key member of the…

12 hours ago

Online job offers, the reshipping and money mule scams

Offers that promise easy earnings can also bring with them a host of scams that…

15 hours ago

Security Affairs newsletter Round 476 by Pierluigi Paganini – INTERNATIONAL EDITION

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles…

1 day ago

This website uses cookies.