Intezer security researchers have discovered a new backdoor targeting Linux systems with the purpose of spying on users.
Dubbed EvilGnome, the threat disguises as a Gnome extension and appears related to the Gamaredon Group, an alleged Russian threat actor. The analyzed sample appears to be a test version that was uploaded to VirusTotal by mistake.
The implant was found to include unfinished keylogging capabilities, as well as comments, symbol names and compilation metadata that isn’t normally found in production versions.
EvilGnome is capable of taking screenshots, stealing files, capturing audio recordings from the user’s microphone, and downloading and executing further modules.
The analysis of EvilGnome has revealed a series of similarities with the Gamaredon Group, which has been active since at least 2013, and which is known for the targeting of individuals likely involved with the Ukrainian government.
The group uses spear-phishing emails containing malicious attachments to infect victims with implants mainly designed to steal information. The actor uses Russian hosting providers to distribute malware.
The operators of EvilGnome use a hosting provider that the Gamaredon Group has been using for years, and were also observed serving SSH over port 3436 – which led to the discovery of a Gamaredon server also serving SSH over port 3436.
Moreover, techniques and modules employed by EvilGnome are reminiscent of Gamaredon Group’s Windows tools, including the use of SFX, persistence with task scheduler and the deployment of information stealers.
The new Linux implant is delivered in the form of a self-extracting archive shell script created with makeself, a small shell script that makes files look as shell scripts, many with a .run suffix. The operators did not remove metadata, which revealed that the sample was created on July 4.
The setup script attempts to install the malware to ~/.cache/gnome-software/gnome-shell-extensions/, so as to masquerade as a Gnome shell extension. For persistence, gnome-shell-ext.sh is registered to run every minute in crontab.
The script is then executed to launch the main agent executable, gnome-shell-ext. The spy agent was built in C++, using classes with an object oriented structure.
The spy agent contains five modules, to capture sound from the microphone, capture screenshots from the desktop, scan the system for new files, receive new commands from the command and control (C&C) server, and log keystrokes (the feature hasn’t been implemented yet).
Each of these modules is run in a separate thread, while access to shared resources is safeguarded through mutexes. Each module uses RC5 with the key “sdg62_AS.sa$die3” to encrypt or decrypt data to and from the C&C.
Based on the commands received from the server, the malware can download and execute files, set new filters for scanning, download and set new runtime configurations, exfiltrate stored output to the C&C, or stop the modules from running.
“EvilGnome is a rare type of malware due to its appetite for Linux desktop users. […] We anticipate newer versions to be discovered and reviewed in the future, which could potentially shed more light into the group’s operations,” Intezer concludes.