CONFERENCE On Demand: Cyber AI & Automation Summit - Watch Now
Connect with us

Hi, what are you looking for?



EvilGnome Malware Helps Hackers Spy on Linux Users

Intezer security researchers have discovered a new backdoor targeting Linux systems with the purpose of spying on users.

Intezer security researchers have discovered a new backdoor targeting Linux systems with the purpose of spying on users.

Dubbed EvilGnome, the threat disguises as a Gnome extension and appears related to the Gamaredon Group, an alleged Russian threat actor. The analyzed sample appears to be a test version that was uploaded to VirusTotal by mistake.

The implant was found to include unfinished keylogging capabilities, as well as comments, symbol names and compilation metadata that isn’t normally found in production versions.

EvilGnome is capable of taking screenshots, stealing files, capturing audio recordings from the user’s microphone, and downloading and executing further modules.

The analysis of EvilGnome has revealed a series of similarities with the Gamaredon Group, which has been active since at least 2013, and which is known for the targeting of individuals likely involved with the Ukrainian government.

The group uses spear-phishing emails containing malicious attachments to infect victims with implants mainly designed to steal information. The actor uses Russian hosting providers to distribute malware.

The operators of EvilGnome use a hosting provider that the Gamaredon Group has been using for years, and were also observed serving SSH over port 3436 – which led to the discovery of a Gamaredon server also serving SSH over port 3436.

Moreover, techniques and modules employed by EvilGnome are reminiscent of Gamaredon Group’s Windows tools, including the use of SFX, persistence with task scheduler and the deployment of information stealers.

Advertisement. Scroll to continue reading.

The new Linux implant is delivered in the form of a self-extracting archive shell script created with makeself, a small shell script that makes files look as shell scripts, many with a .run suffix. The operators did not remove metadata, which revealed that the sample was created on July 4.

The setup script attempts to install the malware to ~/.cache/gnome-software/gnome-shell-extensions/, so as to masquerade as a Gnome shell extension. For persistence, is registered to run every minute in crontab.

The script is then executed to launch the main agent executable, gnome-shell-ext. The spy agent was built in C++, using classes with an object oriented structure.

The spy agent contains five modules, to capture sound from the microphone, capture screenshots from the desktop, scan the system for new files, receive new commands from the command and control (C&C) server, and log keystrokes (the feature hasn’t been implemented yet).

Each of these modules is run in a separate thread, while access to shared resources is safeguarded through mutexes. Each module uses RC5 with the key “$die3” to encrypt or decrypt data to and from the C&C.

Based on the commands received from the server, the malware can download and execute files, set new filters for scanning, download and set new runtime configurations, exfiltrate stored output to the C&C, or stop the modules from running.

“EvilGnome is a rare type of malware due to its appetite for Linux desktop users. […] We anticipate newer versions to be discovered and reviewed in the future, which could potentially shed more light into the group’s operations,” Intezer concludes.

Related: Sophisticated HiddenWasp Malware Targets Linux

Related: “Gamaredon” Group Uses Custom Malware in Ukraine Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...