Security researchers have discovered a rare piece of spyware for Linux named evilgnome, which is currently not found in all major antivirus software products and includes features that are rarely found concerning most of the malware for Linux, reports Official Hacker.
It is known that in nature there are very few types of malware for Linux compared to Windows viruses because of its basic architecture, as well as its low market share, and many of them do not even have a wide range of functions.
In recent years, even after revealing serious critical vulnerabilities in various types of Linux operating systems and software, cybercriminals have failed to use most of them in their attacks.
Instead, a large number of malicious programs targeting the Linux ecosystem mainly focus on cryptocurrency attacks to gain financial gain and create DDoS botnets by capturing vulnerable servers.
However, researchers from security company Intezer Labs recently discovered a new backdoor for Linux, which appears to be under development and testing, but already contains several malicious modules to spy on Linux desktop users.
EvilGnome: New Linux Spyware
Nicknamed EvilGnome, the malware was designed to capture screenshots of the desktop, steal files, capture audio from a user’s microphone, and download and launch additional malicious second-level modules.
According to a new report that Intezer Labs shared with The Hacker News before its release, the EvilGnome example found in VirusTotal also contains the unfinished keylogger function, which indicates that it was incorrectly downloaded online by its developer.
EvilGnome malware disguises as a legitimate extension of GNOME, a program that allows Linux users to extend the functionality of their desktops.
According to the researchers, the installation comes in the form of a self-extracting shell script archive created using “make self”, a small shell script that generates a self-extracting compressed tar archive from the directory.
The Linux system also obtains persistence on the target system using a crontab, like the Windows scheduler and sends the stolen user data to a remote server controlled by an attacker.
“Consistency is achieved by registering gnome-shell-ext.sh to run a crontab every minute. Finally, the script executes gnome-shell-ext.sh, which, in turn, runs the main executable gnome-shell-ext, the researchers said.
Spyware from EvilGnome
The EvilGnome spy agent contains five malicious modules called Arrows, as described below:
ShooterSound: This module uses PulseAudio to capture audio from a user’s microphone and upload data to the operator’s management and control server.
ShooterImage: This module uses the open-source Cairo library to capture screenshots and upload them to the C & C server, opening a connection to the XOrg display server, which is the server part of the Gnome desktop.
ShooterFile: this module uses a filter list to scan the file system for newly created files and upload them to the C & C server.
ShooterPing: the module receives new commands from the C & C server, how to load and run new files, set new filters to scan files, load and set up a new runtime configuration, extrapolate the output stored on the C & C server, and interrupt any gunshots module.
ShooterKey – this module is not implemented and not used, which, most likely, is an unfinished keylogging module.
In particular, all the modules mentioned above encrypt their output and decrypt commands received by the C & C server using the RC5 key “sdg62_AS.sa $ die3” using a modified version of the Russian open-source library.
Possible Connection b/w EvilGnome and Gamaredon Hacking Group
In addition, the researchers also found links between the EvilGnome and the Gamaredon Group, the alleged Russian threat group, which operated at least 2013 and is aimed at people working with the Ukrainian government.
Below, I summarized some of the similarities between the EvilGnome and the Gamaredon Group:
• EvilGnome uses a hosting provider that has been used by the Gamaredon Group for many years and continues to be used by it.
• EvilGnome also learned about using the IP address monitored by the Gamaredon group two months ago.
• EvilGnome attackers also use TTLD “.space” for their domains, as does the Gamaredon group.
• EvilGnome uses methods and modules — such as using SFX, consistency with the planning utility, and distributing tools to steal information — like the Windows tools of the Gamaredon group.
How to detect malware EvilGnome?
To check if your Linux system is infected with EvilGnome spyware, you can search for the executable file “gnome-shell-ext” in the “~ / .cache / gnome-software / gnome-shell-extensions” directory.
“We think this is a premature trial version. We expect that new versions will be discovered and tested in the future, which may shed light on the activities of the group, ”the researchers conclude.
Since anti-virus products and security systems currently cannot detect EvilGnome malware, researchers recommend that Linux administrators are interested in blocking the command and control IP addresses listed in the IOC section of the Intezer blog.