Thursday, March 28, 2024

New Linux Malware “EvilGnome” Spying on Linux Desktop Users and Steal Sensitive Files

Researchers discovered a new Linux malware called “EvilGnome” with previously unseen functionalities that capable of creating a backdoor and spying the Linux desktop users.

Based on the evidence and the operational similarities, the implant possibly distributed by Gamaredon Group, a Russian based threat group that has been active since at least 2013.

Gamaredon Group attack victims using a different form of malicious attachments, delivered via spear-phishing techniques and employed the information-stealing tools.

This malware impersonates the Gnome extension so that researchers from intezer named the implant EvilGnome which is completely undetected by all the major security software from leading vendors.

Since 70% web server market share occupied with Linux-based operating systems, Linux malware ecosystem is plagued by financial driven crypto-miners and DDoS botnet tools which mostly target vulnerable servers.

EvilGnome Infrastructure Similarities with Gamaredon 

Gamaredon Group does not use any known Linux implants. EvilGnome employed the techniques and modules use of SFX, a deployment of information-stealing tools and persistence with task scheduler.

Researchers discovered that the threat actors who behind EvilGnome using a hosting provider which is used by Gamaredon Group for a year and they found a C2 server IP address that resolves 2 domains, gamework[.]ddns[.]net and workan[.]ddns[.]net.

Further investigation with C2 server reveals that it served SSH over port 3436. in which, a port open was identified that serving SSH, which means that both on EvilGnome C2 and Gamaredon’s rnbo-ua.ddns.net using the methods.

Infection Process

Initially, EvilGnome delivers a self-extracting archive shell script created with makeself,  a small shell script that generates a self-extractable compressed tar archive from a directory.

There are 4 different files are identified with the archived,

  1. gnome-shell-ext – the spy agent executable
  2. gnome-shell-ext.sh – checks if gnome-shell-ext is already running and if not, executes it
  3. rtp.dat– configuration file for gnome-shell-ext
  4. setup.sh – the setup script that is run by makeself after unpacking

When analyzing the spy agent, researchers uncovered that the code was never seen before by the system and it was built in C++.

Researchers from Intezer digging deeper into spy agent and they find five new modules called “Shooters” which can perform different activities with respective commands.

ShooterSound – captures audio from the user’s microphone and uploads to C2
ShooterImage – captures screenshots and uploads to C2
ShooterFile – scans the file system for newly created files and uploads them to C2
ShooterPing – receives new commands from C2
ShooterKey – unimplemented and unused, most likely an unfinished keylogging module

“Researchers believe this is a premature test version. We anticipate newer versions to be discovered and reviewed in the future”

IOCs

EvilGnome:

a21acbe7ee77c721f1adc76e7a7799c936e74348d32b4c38f3bf6357ed7e803282b69954410c83315dfe769eed4b6cfc7d11f0f62e26ff546542e35dcd7106b7
7ffab36b2fa68d0708c82f01a70c8d10614ca742d838b69007f5104337a4b869
195.62.52[.]101

Gamaredon Group:
185.158.115[.]44
185.158.115[.]154
clsass.ddns[.]net
kotl[.]space

Related Read

Hackers Use Linux Malware HiddenWasp to Attack Linux Systems for Gaining Remote Access

New Linux Coin Miner that Deletes Other Linux Malware and Coin Miners

Website

Latest articles

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles