Experts spotted a rare Linux Desktop spyware dubbed EvilGnome

Experts at Intezer discovered a new backdoor, dubbed EvilGnome, that is targeting Linux systems for cyber espionage purpose.

Intezer spotted a new piece of Linux malware dubbed EvilGnome because it disguises as a Gnome extension. The researchers attribute the spyware to the Russia-linked and Gamaredon Group.  The modules used by EvilGnome are reminiscent of the Windows tools used by the Gamaredon Group, other analogies include the use of SFX, persistence with task scheduler and the deployment of information stealers.

“Linux desktop remains an unpopular choice among mainstream desktop users, making up a little more than 2% of the desktop operating system market share.” reads the analysis published by Intezer. ” This explains our surprise when in the beginning of July, we discovered a new, fully undetected Linux backdoor implant, containing rarely seen functionalities with regards to Linux malware, targeting desktop users.”

The experts confirmed that the spy agent used by the threat actors was never seen before.

The Gamaredon APT was first spotted in 2013, last year researchers at LookingGlass have shared the details of a cyber espionage campaign, tracked as Operation Armageddon, targeting Ukrainian entities.

The Security Service of Ukraine (SBU) blamed theRussia’s Federal Security Service (FSB) for the cyber attacks. 

The sample analyzed by Intezer was uploaded to VirusTotal by mistake, the presence of metadata that was not removed by the attackers revealed that the malicious code was created on July 4. The analysis revealed that the malicious code includes an unfinished keylogger, some comments, symbol names and compilation metadata, a circumstance that suggests the authors are still working on it.

EvilGnome allows attackers to take screenshots, steal files, capture audio recordings from the microphone, and download and execute other payloads.

The attack starts with spear-phishing emails containing weaponized attachments, the malware is distributed via Russian hosting providers.

The hosting provider used by attackers behind EvilGnome was used by Gamaredon Group for years, the SSH was exposed over the port 3436, the same used by Gamaredon to expose SSH.

The Linux implant is delivered in the form of a self-extracting archive shell script created with makeself that is a small shell script that generates a self-extractable compressed tar archive from a directory. The generated files appear as a shell script, many having a .run suffix, that can be launched as is. 

The setup script installs the malicious code to ~/.cache/gnome-software/gnome-shell-extensions/, and attackers gain persistence by registering gnome-shell-ext.sh to run every minute in crontab.

In the last step of the installation process, the script executes gnome-shell-ext.sh, which in turn launches the main executable gnome-shell-ext:

“The Spy Agent was built in C++, using classes with an object oriented structure. The binary was not stripped, which allowed us to read symbols and understand the developer’s intentions.” continues the analysis.

“At launch, the agent forks to run in a new process. The agent then reads the rtp.dat configuration file and loads it directly into memory”

The spy agent is composed of five modules that run in separate threads:

• ShooterSound – captures audio from the user’s microphone and uploads to C2;
• ShooterImage – captures screenshots and uploads to C2;
• ShooterFile – scans the file system for newly created files and uploads them to C2;
• ShooterPing – receives new commands from C2;
• ShooterKey – unimplemented and unused, most likely an unfinished keylogging module;

The modules access to shared resources that are safeguarded through mutexes, they use RC5 with the key “sdg62_AS.sa$die3” to encrypt or decrypt data to and from the C&C.

The malware supports several commands, it can download and execute files, set new filters for scanning, download and set new runtime configurations, exfiltrate stored output to the C&C, or stop the modules from running.

“EvilGnome is a rare type of malware due to its appetite for Linux desktop users. Throughout this post, we have presented detailed infrastructure-related evidence to connect EvilGnome to the actors behind the Gamaredon Group.” concludes the group. “We believe this is a premature test version. We anticipate newer versions to be discovered and reviewed in the future, which could potentially shed more light into the group’s operations.”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – EvilGnome, Linux malware)

[adrotate banner=”5″]

[adrotate banner=”13″]