“Linux desktop remains an unpopular choice among mainstream desktop users, making up a little more than 2% of the desktop operating system market share.” reads the analysis published by Intezer. ” This explains our surprise when in the beginning of July, we discovered a new, fully undetected Linux backdoor implant, containing rarely seen functionalities with regards to Linux malware, targeting desktop users.”
The experts confirmed that the spy agent used by the threat actors was never seen before.
The Gamaredon APT was first spotted in 2013, last year researchers at LookingGlass have shared the details of a cyber espionage campaign, tracked as Operation Armageddon, targeting Ukrainian entities.
The Security Service of Ukraine (SBU) blamed
The sample analyzed by Intezer was uploaded to VirusTotal by mistake,
EvilGnome allows attackers to take screenshots, steal files, capture audio recordings from the microphone, and download and execute other payloads.
The attack starts with spear-phishing emails containing weaponized attachments, the malware is distributed via Russian hosting providers.
The hosting provider used by attackers behind
The Linux implant is delivered in the form of a self-extracting archive shell script created with
The setup script installs the malicious code to ~/.
In the last step of the installation process, the script executes
“The Spy Agent was built in C++, using classes with an object oriented structure. The binary was not stripped, which allowed us to read symbols and understand the developer’s intentions.” continues the analysis.
“At launch, the agent forks to run in a new process. The agent then reads the rtp.dat configuration file and loads it directly into memory”
The spy agent is composed of
The modules access to shared resources that are safeguarded through
The malware supports several commands, it can download and execute files, set new filters for scanning, download and set new runtime configurations,
(SecurityAffairs – EvilGnome, Linux malware)