Friday, July 19, 2024
EHA

New Linux Malware “EvilGnome” Spying on Linux Desktop Users and Steal Sensitive Files

Researchers discovered a new Linux malware called “EvilGnome” with previously unseen functionalities that capable of creating a backdoor and spying the Linux desktop users.

Based on the evidence and the operational similarities, the implant possibly distributed by Gamaredon Group, a Russian based threat group that has been active since at least 2013.

Gamaredon Group attack victims using a different form of malicious attachments, delivered via spear-phishing techniques and employed the information-stealing tools.

This malware impersonates the Gnome extension so that researchers from intezer named the implant EvilGnome which is completely undetected by all the major security software from leading vendors.

Since 70% web server market share occupied with Linux-based operating systems, Linux malware ecosystem is plagued by financial driven crypto-miners and DDoS botnet tools which mostly target vulnerable servers.

EvilGnome Infrastructure Similarities with Gamaredon 

Gamaredon Group does not use any known Linux implants. EvilGnome employed the techniques and modules use of SFX, a deployment of information-stealing tools and persistence with task scheduler.

Researchers discovered that the threat actors who behind EvilGnome using a hosting provider which is used by Gamaredon Group for a year and they found a C2 server IP address that resolves 2 domains, gamework[.]ddns[.]net and workan[.]ddns[.]net.

Further investigation with C2 server reveals that it served SSH over port 3436. in which, a port open was identified that serving SSH, which means that both on EvilGnome C2 and Gamaredon’s rnbo-ua.ddns.net using the methods.

Infection Process

Initially, EvilGnome delivers a self-extracting archive shell script created with makeself,  a small shell script that generates a self-extractable compressed tar archive from a directory.

There are 4 different files are identified with the archived,

  1. gnome-shell-ext – the spy agent executable
  2. gnome-shell-ext.sh – checks if gnome-shell-ext is already running and if not, executes it
  3. rtp.dat– configuration file for gnome-shell-ext
  4. setup.sh – the setup script that is run by makeself after unpacking

When analyzing the spy agent, researchers uncovered that the code was never seen before by the system and it was built in C++.

Researchers from Intezer digging deeper into spy agent and they find five new modules called “Shooters” which can perform different activities with respective commands.

ShooterSound – captures audio from the user’s microphone and uploads to C2
ShooterImage – captures screenshots and uploads to C2
ShooterFile – scans the file system for newly created files and uploads them to C2
ShooterPing – receives new commands from C2
ShooterKey – unimplemented and unused, most likely an unfinished keylogging module

“Researchers believe this is a premature test version. We anticipate newer versions to be discovered and reviewed in the future”

IOCs

EvilGnome:

a21acbe7ee77c721f1adc76e7a7799c936e74348d32b4c38f3bf6357ed7e803282b69954410c83315dfe769eed4b6cfc7d11f0f62e26ff546542e35dcd7106b7
7ffab36b2fa68d0708c82f01a70c8d10614ca742d838b69007f5104337a4b869
195.62.52[.]101

Gamaredon Group:
185.158.115[.]44
185.158.115[.]154
clsass.ddns[.]net
kotl[.]space

Related Read

Hackers Use Linux Malware HiddenWasp to Attack Linux Systems for Gaining Remote Access

New Linux Coin Miner that Deletes Other Linux Malware and Coin Miners

Website

Latest articles

Octo Tempest Know for Attacking VMWare ESXi Servers Added RansomHub & Qilin to Its Arsenal

Threat actors often attack VMware ESXi servers since they accommodate many virtual machines, which...

TAG-100 Actors Using Open-Source Tools To Attack Gov & Private Orgs

Hackers exploit open-source tools to execute attacks because they are readily available, well-documented, and...

macOS Users Beware Of Weaponized Meeting App From North Korean Hackers

Meeting apps are often targeted and turned into weapons by hackers as they are...

Hackers Exploiting Legitimate RMM Tools With BugSleep Malware

Since October 2023, MuddyWater, which is an Iranian threat group linked to MOIS, has...

Cybercriminals Exploit Attack on Donald Trump for Crypto Scams

Researchers at Bitdefender Labs remain ever-vigilant, informing users about the latest scams and internet...

New TE.0 HTTP Request Smuggling Flaw Impacts Google Cloud Websites

HTTP Request Smuggling is a flaw in web security that is derived from variations...

Volcano Demon Group Attacking Organizations With LukaLocker Ransomware

The Volcano Demon group has been discovered spreading a new ransomware called LukaLocker, which...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles