Thursday, December 7, 2023

New Linux Malware “EvilGnome” Spying on Linux Desktop Users and Steal Sensitive Files

Researchers discovered a new Linux malware called “EvilGnome” with previously unseen functionalities that capable of creating a backdoor and spying the Linux desktop users.

Based on the evidence and the operational similarities, the implant possibly distributed by Gamaredon Group, a Russian based threat group that has been active since at least 2013.

Gamaredon Group attack victims using a different form of malicious attachments, delivered via spear-phishing techniques and employed the information-stealing tools.

This malware impersonates the Gnome extension so that researchers from intezer named the implant EvilGnome which is completely undetected by all the major security software from leading vendors.

Since 70% web server market share occupied with Linux-based operating systems, Linux malware ecosystem is plagued by financial driven crypto-miners and DDoS botnet tools which mostly target vulnerable servers.

EvilGnome Infrastructure Similarities with Gamaredon 

Gamaredon Group does not use any known Linux implants. EvilGnome employed the techniques and modules use of SFX, a deployment of information-stealing tools and persistence with task scheduler.

Researchers discovered that the threat actors who behind EvilGnome using a hosting provider which is used by Gamaredon Group for a year and they found a C2 server IP address that resolves 2 domains, gamework[.]ddns[.]net and workan[.]ddns[.]net.

Further investigation with C2 server reveals that it served SSH over port 3436. in which, a port open was identified that serving SSH, which means that both on EvilGnome C2 and Gamaredon’s using the methods.

Infection Process

Initially, EvilGnome delivers a self-extracting archive shell script created with makeself,  a small shell script that generates a self-extractable compressed tar archive from a directory.

There are 4 different files are identified with the archived,

  1. gnome-shell-ext – the spy agent executable
  2. – checks if gnome-shell-ext is already running and if not, executes it
  3. rtp.dat– configuration file for gnome-shell-ext
  4. – the setup script that is run by makeself after unpacking

When analyzing the spy agent, researchers uncovered that the code was never seen before by the system and it was built in C++.

Researchers from Intezer digging deeper into spy agent and they find five new modules called “Shooters” which can perform different activities with respective commands.

ShooterSound – captures audio from the user’s microphone and uploads to C2
ShooterImage – captures screenshots and uploads to C2
ShooterFile – scans the file system for newly created files and uploads them to C2
ShooterPing – receives new commands from C2
ShooterKey – unimplemented and unused, most likely an unfinished keylogging module

“Researchers believe this is a premature test version. We anticipate newer versions to be discovered and reviewed in the future”




Gamaredon Group:

Related Read

Hackers Use Linux Malware HiddenWasp to Attack Linux Systems for Gaining Remote Access

New Linux Coin Miner that Deletes Other Linux Malware and Coin Miners


Latest articles

Bluetooth keystroke-injection Flaw: A Threat to Apple, Linux & Android Devices

An unauthenticated Bluetooth keystroke-injection vulnerability that affects Android, macOS, and iOS devices has been...

Atlassian Patches RCE Flaw that Affected Multiple Products

Atlassian has been discovered with four new vulnerabilities associated with Remote Code Execution in...

Reflectiz Introduces AI-powered Insights on Top of Its Smart Alerting System

Reflectiz, a cybersecurity company specializing in continuous web threat management, proudly introduces a new...

SLAM Attack Gets Root Password Hash in 30 Seconds

Spectre is a class of speculative execution vulnerabilities in microprocessors that can allow threat...

Akira Ransomware Exploiting Zero-day Flaws For Organization Network Access

The Akira ransomware group, which first appeared in March 2023, has been identified as...

Hackers Deliver AsyncRAT Through Weaponized WSF Script Files

The AsyncRAT malware, which was previously distributed through files with the .chm extension, is now being...

BlueNoroff: New Malware Attacking MacOS Users

Researchers have uncovered a new Trojan-attacking macOS user that is associated with the BlueNoroff APT...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

API Attack Simulation Webinar

Live API Attack Simulation

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked.The session will cover:an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Related Articles