A obtain manager web page served Linux people malware that stealthily stole passwords and other sensitive information and facts for a lot more than three many years as component of a source chain attack.
The modus operandi entailed setting up a reverse shell to an actor-controlled server and setting up a Bash stealer on the compromised method. The campaign, which took place between 2020 and 2022, is no for a longer period active.
“This stealer collects details these as system info, searching background, saved passwords, cryptocurrency wallet data files, as well as credentials for cloud solutions (AWS, Google Cloud, Oracle Cloud Infrastructure, Azure),” Kaspersky scientists Georgy Kucherin and Leonid Bezvershenko reported.
The web site in issue is freedownloadmanager[.]org, which, in accordance to the Russian cybersecurity business, presents a legitimate Linux software program termed “Absolutely free Down load Manager,” but beginning in January 2020, commenced redirecting some customers who attempted to download it to one more domain deb.fdmpkg[.]org that served a booby-trapped Debian offer.
It really is suspected that the malware authors engineered the attack based on particular predefined filtering requirements (say, a digital fingerprint of the system) to selectively lead prospective victims to the destructive model. The rogue redirects ended in 2022 for inexplicable explanations.
The Debian bundle consists of a write-up-install script which is executed on its set up to fall two ELF files, /var/tmp/bs and a DNS-based backdoor (/var/tmp/crond) that launches a reverse shell to a command-and-manage (C2) server, which is received in response to a DNS ask for to a person of the four domains –
- 2c9bf1811ff428ef9ec999cc7544b43950947b0f.u.fdmpkg[.]org
- c6d76b1748b67fbc21ab493281dd1c7a558e3047.u.fdmpkg[.]org
- 0727bedf5c1f85f58337798a63812aa986448473.u.fdmpkg[.]org
- c3a05f0dac05669765800471abc1fdaba15e3360.u.fdmpkg[.]org
“The conversation protocol is, relying on the connection sort, both SSL or TCP,” the researchers said. “In the circumstance of SSL, the crond backdoor launches the /var/tmp/bs executable and delegates all additional communications to it. Normally, the reverse shell is established by the crond backdoor alone.”
The top target of the attack is to deploy a stealer malware and harvest delicate info from the program. The assortment information is then uploaded to the attacker’s server using an uploader binary downloaded from the C2 server.
crond, Kaspersky said, is a variant of a backdoor recognized as Bew that has been in circulation considering the fact that 2013, though an early variation of the Bash stealer malware was earlier documented by Yoroi in June 2019.
Impending WEBINARIdentity is the New Endpoint: Mastering SaaS Security in the Contemporary Age
Dive deep into the upcoming of SaaS security with Maor Bin, CEO of Adaptive Defend. Discover why id is the new endpoint. Secure your place now.
Supercharge Your Abilities
It’s not right away distinct how the compromise basically took position and what the close targets of the marketing campaign were being. What is actually apparent is that not anyone who downloaded the software received the rogue offer, enabling it to evade detection for many years.
“Whilst the campaign is at present inactive, this case of Absolutely free Down load Manager demonstrates that it can be really hard to detect ongoing cyberattacks on Linux equipment with the naked eye,” the scientists said.
“So, it is crucial that Linux machines, both equally desktop and server, are geared up with trustworthy and productive security solutions.”
Observed this report exciting? Stick to us on Twitter and LinkedIn to go through far more exceptional content material we submit.
Some parts of this article are sourced from:
thehackernews.com