UPDATED: Linux Becomes Attractive To Trojan Download Manager
An Updated Look at Recent Attacks
Linux machines have become an attractive target for threat actors, with a significant increase in attacks observed.
According to recent data, there were 260,000 unique Linux samples detected in the first half of 2023 alone. What's more concerning is that these campaigns can continue for extended periods without being noticed by the cybersecurity community.
The alarming nature of these attacks became evident when researchers decided to investigate a set of suspicious domains. Among them were domains such as the following:
These domains raised red flags as they indicated potential malware using domain-generation algorithms for command-and-control (C2) communications. To gain a better understanding, the researchers focused on the fdmpkg[.]org domain.
During their analysis, the researchers discovered that the domain had a subdomain called deb.fdmpkg[.]org. Upon visiting the website, they found a web page claiming to host a Debian repository for software called 'Free Download Manager.' What caught their attention was a Debian package of this software available for download from the URL:
Update: The Freedom Download Manager company responded to researcher’s security concerns with a formal statement.
“Upon this discovery, we initiated a thorough investigation. We’re reinforcing our defenses and implementing additional measures to prevent such vulnerabilities in the future,” Freedom Download Manager wrote.
The company instructed users to “conduct a malware scan,” of devices they tried to initiate downloads from during the incident’s window.
When the incident was first detected, a closer inspection revealed that the package contained an infected postinst script that was executed upon installation. The script dropped two ELF files, /var/tmp/crond and /var/tmp/bs, and established persistence by creating a cron task that launched the /var/tmp/crond file every 10 minutes. Notably, the infected package installed a version of Free Download Manager released on January 24, 2020.
The postinst script contained comments in Russian and Ukrainian, providing insight into improvements made to the malware and activist statements referring to dates in early 2020.
The researchers then discovered that the executable /var/tmp/crond launched through cron on every startup served as a backdoor. This backdoor did not import functions from external libraries and leveraged the statically linked dietlibc library to access the Linux API via syscalls. Upon startup, the backdoor made a type A DNS request to the <hex-encoded 20-byte string>.u.fdmpkg[.]org domain. In response, it received two IP addresses that encoded the address and port of a secondary C2 server. At the time of the research, the two IP addresses were 172.111.48[.]101 and 172.1.0[.]80.
This discovery highlights the evolving threat landscape for Linux machines and the need for heightened vigilance among cybersecurity professionals. The ability of these attacks to go undetected for extended periods underscores the importance of regular monitoring and analysis. Organizations that rely on Linux machines should take appropriate measures to bolster their security posture, including keeping software up to date and implementing robust threat detection and prevention mechanisms.
All stakeholders in the cybersecurity community are urged to stay informed about the latest attack techniques and continuously evolve their defense strategies. By collaborating and sharing knowledge, we can collectively work towards mitigating the growing threats faced by Linux machines and ensuring a safer digital ecosystem.
Free Download Manager (FDM) has released a script to help Linux users detect if they were infected by a recent supply chain attack. The script identifies the presence of the malware by checking specific files on the system, but does not remove them. If malware is detected, users must manually clean their systems or consider a full reinstall.