EvilGnome: a new malware that spies on and affects Linux distributions

Spyware-EvilGnome

Si you thought Linux distributions were out of the woods, that is to say, that virus in Linux is a myth, let me tell you that you are totally wrong. cans the reality is that there is malware that targets Linux platforms and actually this is negligible compared to the large number of viruses that abound on Windows platforms.

This difference could be explained, in particular, by the peculiarities inherent in its architecture and its respective popularity. Additionally, a large amount of malware targeting the Linux ecosystem is primarily focused on cryptojacking and creating botnets to carry out DDoS attacks.

EvilGnome a malware for Linux

Security researchers recently discovered a new spyware targeting Linux. The malware appeared to be still in the development and testing phase, but it already included several malicious modules to spy on users.

The research team at Intezer Labs, a cybersecurity company, revealed a virus, named EvilGnome, which has unusual characteristics compared to most Linux malware that has been invented and has so far gone undetected by the leading antivirus on the market.

This new malware discovered "EvilGnome" It was designed to take desktop screenshots, steal files, capture audio recordings from the microphone, but also to download and run other malicious modules, all without the user's knowledge.

The version of EvilGnome discovered by Intezer Labs on VirusTotal also contained keylogger functionality indicating that its developer had probably mistakenly put it online.

According to investigators, EvilGnome is a true spyware that pretends to be one more extension that works under Gnome.

This spyware comes as a self-extracting script created with "makeself", a small shell script that generates a self-extracting compressed tar file from a directory.

It persists on the target system using crontab, a tool similar to Windows Task Scheduler, and sends stolen user data to a remote server controlled by an attacker.

“Persistence is achieved by registering gnome-shell-ext.sh to run every minute in crontab. Finally, the script runs gnome-shell-ext.sh, which in turn launches the main executable gnome-shell-ext, "the researchers said.

About the composition of EvilGnome

EvilGnome integrates five malicious modules called "Shooters":

  1. ShooterSound which uses PulseAudio to capture audio from the user's microphone and download data to the operator's command and control server.
  2. Shooter Image which module the Cairo open source library uses to take screenshots and upload them to the C&C server by opening a connection to the XOrg display server.
  3. ShooterFile, which uses a list of filters to scan the file system for newly created files and upload them to the C&C server.
  4. ShooterPing which receives new commands from the C&C server, including all Shooters standby.
  5. Shooter Key which has yet to be implemented and used, probably an unfinished keylogger module.

These different modules encrypt the data sent and decrypt the commands received from the C&C server with the RC5 key "sdg62_AS.sa $ die3" using a modified version of a Russian open source library.

The researchers also found links between EvilGnome and Gamaredon., an alleged Russian threat group that has been active since at least 2013 and targets people who work with the Ukrainian government.

The operators of EvilGnome use a hosting provider that has been used by the Gamaredon Group for years, and the group continues to use it.

“We think it is a premature trial version. We anticipate that new versions will be discovered and reviewed in the future, which could lead to a better understanding of the group's activities, ”the researchers concluded.

Finally, Linux users who want to check if they are infected are advised to check the directory

~ / .cache / gnome-software / gnome-shell-extensions

For the executable "Gnome-shell-ext"

Source: https://www.intezer.com/


2 comments, leave yours

Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.

  1.   ja said

    And that is achieved, unzipping the tar, installing it, and giving it root permissions.
    We are what any moderately informed Linux user usually does, right?

  2.   newbie said

    Being hidden as a GNOME extension, it is unlikely to be downloaded by users of other desktops, such as KDE