EvilGnome:一个新的后门植入间谍Linux桌面用户 图章 图章 安全响应中心

admin 2019-8-14 160

Security researchers have discovered a rare piece of Linux spyware that's currently fully undetected across all major antivirus security software products, and includes rarely seen functionalities with regards to most Linux malware, The Hacker News learned.

It's a known fact that there are a very few strains of Linux malware exist in the wild as compared to Windows viruses because of its core architecture and also due to its low market share, and also many of them don't even have a wide range of functionalities.

In recent years, even after the disclosure of severe critical vulnerabilities in various flavors of Linux operating systems and software, cybercriminals failed to leverage most of them in their attacks.


Instead, a large number of malware targeting Linux ecosystem is primarily focused on cryptocurrency mining attacks for financial gain and creating DDoS botnets by hijacking vulnerable servers.

However, researchers at security firm Intezer Labs recently discovered a new Linux backdoor implant that appears to be under development and testing phase but already includes several malicious modules to spy on Linux desktop users.

EvilGnome: New Linux Spyware


Dubbed EvilGnome, the malware has been designed to take desktop screenshots, steal files, capture audio recording from the user's microphone as well as download and execute further second-stage malicious modules.

According to a new report Intezer Labs shared with The Hacker News prior to its release, the sample of EvilGnome it discovered on VirusTotal also contains an unfinished keylogger functionality, which indicates that it was uploaded online mistakenly by its developer.


EvilGnome malware masquerades itself as a legit GNOME extension, a program that lets Linux users extend the functionality of their desktops.

According to the researchers, the implant is delivered in the form of a self-extracting archive shell script created with 'makeself,' a small shell script that generates a self-extractable compressed tar archive from a directory.


The Linux implant also gains persistence on a targeted system using crontab, similar to windows task scheduler, and sends stolen user data to a remote attacker-controlled server.

"Persistence is achieved by registering gnome-shell-ext.sh to run every minute in crontab. Finally, the script executes gnome-shell-ext.sh, which in turn launches the main executable gnome-shell-ext," the researchers said.

EvilGnome's Spyware Modules


The Spy Agent of EvilGnome contains five malicious modules called "Shooters," as explained below:

  • ShooterSound — this module uses PulseAudio to capture audio from the user's microphone and uploads the data to the operator's command-and-control server.
  • ShooterImage — this module uses the Cairo open source library to captures screenshots and uploads them to the C&C server. It does so by opening a connection to the XOrg Display Server, which is the backend to the Gnome desktop.
  • ShooterFile — this module uses a filter list to scan the file system for newly created files and uploads them to the C&C server.
  • ShooterPing — the module receives new commands from the C&C server, like download and execute new files, set new filters for file scanning, download and set new runtime configuration, exfiltrate stored output to the C&C server, and stop any shooter module from running.
  • ShooterKey — this module is unimplemented and unused, which most likely is an unfinished keylogging module.


Notably, all the above modules encrypt their output data and decrypt commands received from the C&C server with RC5 key "sdg62_AS.sa$die3," using a modified version of a Russian open source library.

Possible Connection b/w EvilGnome and Gamaredon Hacking Group


Furthermore, the researchers also found connections between EvilGnome and Gamaredon Group, an alleged Russian threat group that has been active since at least 2013 and has targeted individuals working with the Ukrainian government.


Here below, I have briefed some of the similarities between EvilGnome and Gamaredon Group:

  • EvilGnome uses a hosting provider that has been used by Gamaredon Group for years and continues to be used by it.
  • EvilGnome also found to be operating on an IP address that was controlled by the Gamaredon group two months ago.
  • EvilGnome attackers are also using '.space' TTLD for their domains, just as the Gamaredon Group.
  • EvilGnome employs techniques and modules—like the use of SFX, persistence with task scheduler, and the deployment of information-stealing tools—that remind of Gamaredon Group's Windows tools.


How to Detect EvilGnome Malware?


To check if your Linux system is infected with the EvilGnome spyware, you can look for the "gnome-shell-ext" executable in the "~/.cache/gnome-software/gnome-shell-extensions" directory.

"We believe this is a premature test version. We anticipate newer versions to be discovered and reviewed in the future, which could potentially shed more light into the group's operations," researchers conclude.


Since security and antivirus products are currently failing to detect the EvilGnome malware, researchers recommend concerned Linux administrators to block the Command & Control IP addresses listed in the IOC section of Intezer's blog post.


少客联盟- 版权声明 1、本主题所有言论和图片纯属会员个人意见,与少客联盟立场无关。
2、本站所有主题由该帖子作者发表,该帖子作者admin少客联盟享有帖子相关版权。
3、少客联盟管理员和版主有权不事先通知发贴者而删除本文。
4、其他单位或个人使用、转载或引用本文时必须同时征得该帖子作者admin少客联盟的同意。
5、帖子作者须承担一切因本文发表而直接或间接导致的民事或刑事法律责任。
6、本帖部分内容转载自其它媒体,但并不代表本站赞同其观点和对其真实性负责。
7、如本帖侵犯到任何版权问题,请立即告知本站,本站将及时予与删除并致以最深的歉意。
8、官方反馈邮箱:chinasuc@chinasuc.cn


上一篇:Microsoft增强OneDrive以保护您的敏感文件
下一篇:CAPTCHA解决僵尸网络,黑客如何使用他们的受害者而不仅仅是计算能力
Whatever is worth doing is worth doing well. juvenile hacker league
最新回复 (0)
    • 少客联盟
      2
        登录 注册 QQ登录(停用)
返回