The EvilGnomes Linux malware has been linked to infamous Russian threat actors from the Gamaredon Group.
The IT security researchers at Intezar Labs have discovered a sophisticated new backdoor Linux malware in the wild that has been developed to target Linux devices.
Dubbed EvilGnomes by researchers; the malware was found masquerading as a Gnome shell extension targeting Linux’s desktop users.
It is worth noting that the researchers spotted the malware after its author directly uploaded its test version on VirusTotal where none of the anti-virus software detected any suspicious activity.
According to Intezar Labs’ blog post, along with backdoor capabilities, EvilGnomes malware is also equipped with keylogging, it snaps desktop screenshots on a targeted device, steals files, record conversations through victim’s microphone and drop additional Linux malware on the system.
It is believed that EvilGnomes is associated with Russian threat actors from the Gamaredon Group who has been active since 2013, especially against the Ukrainian government. The Gamaredon Group uses spear-phishing campaigns to target its victims while its payloads are hosted and distributed from different Russian hosting companies.
EvilGnome also uses the same hosting company that has been used by the Gamaredon Group for years. Intezar Labs’ further noted that server used by the Gamaredon Group had SSH over port 3436 which happened to be the same used by EvilGnome.
The analysis further shows that this Linux implant is delivered in the form of a self-extracting archive shell script created with makeself, a small shell script that generates a self-extractable compressed tar archive from a directory.
The setup script installs the malware to ~/.cache/gnome-software/gnome-shell-extensions/ to disguise as a Gnome shell extension. Additionally, to gain persistence, gnome-shell-ext.sh is registered to run every minute in crontab.
Intezer Labs identified five modules in the EvilGnome backdoor implant:
ShooterAudio – This module records audio from the victim’s microphone and uploads it to C2
ShooterImage – This module takes screenshots of victim’s desktop uploads them to C2
ShooterFile – This module looks for files on the system and uploads them to C2
ShooterPing – This module receives new commands from C2
ShooterKey – This module hasn’t been used by malware authors as of now
“EvilGnome is a rare type of Linux malware due to its appetite for Linux desktop users. […] We anticipate newer versions to be discovered and reviewed in the future, which could potentially shed more light into the group’s operations,” said researchers.
Although Linux is a secure operating system, lately, cybercriminals have been successfully targeting Linux-based devices. For instance, earlier this year, a cryptocurrency malware called “SpeakUp” was found infecting Mac and Linux devices.
Last year, Linux users were hit by nasty “Xbash” malware equipped of disk wiping, ransomware, and cryptojacking capabilities. Therefore, no matter which operating system you are on, chances are that hackers can find their way to infiltrate and steal your data.